Mini-Project Part 1 β National School of Cyber Security (NSCS), Algeria
Course: Operating Systems (Foundation Training) | Academic Year: 2025/2026
Supervisor: Dr. BENTRAD Sassi
Developed by: Akeb Abdelkarim & Kerd Abderrahim
Submission Date: March 30, 2026
A fully automated Linux system audit and monitoring solution built with pure Bash scripting. The tool collects hardware and software information, generates multi-format reports, sends them via email, supports remote monitoring over SSH, and automates execution with cron jobs.
- Features
- Project Structure
- Requirements
- Installation
- Configuration
- Usage
- Report Formats
- Email Setup
- Remote Monitoring via SSH
- Cron Automation
- Bonus Features
- Team & Contributions
- License
| Feature | Description |
|---|---|
| π₯οΈ Hardware Audit | CPU, GPU, RAM, Disk, USB, Motherboard info |
| π¦ Software Audit | OS, Kernel, packages, services, processes, open ports |
| π Report Generation | Short & full reports in .txt, .html, .json |
| π§ Email Delivery | Send reports via msmtp, sendmail, or mail |
| π Remote Monitoring | Live system info & report transfer via SSH/SCP |
| β° Cron Automation | Schedule audits automatically |
| π Report Comparison | Detect changes between two report snapshots |
| Alert when CPU usage exceeds a configurable threshold | |
| π Log Integrity | Verify audit logs using sha256sum |
| π¨ Colorized Terminal | ANSI color-coded interactive menu |
linux-audit-system/
βββ README.md
βββ .gitignore
βββ .gitattributes
βββ scripts/
β βββ main.sh # Interactive menu β entry point
β βββ auto_audit.sh # Silent pipeline β called by cron
β βββ hardware_audit.sh # Hardware data collection
β βββ software_audit.sh # Software & OS data collection
β βββ report_generator.sh # Report generation (txt/html/json)
β βββ email_sender.sh # Email delivery via msmtp/sendmail
β βββ remote_monitor.sh # SSH-based remote monitoring & SCP transfer
β βββ scheduler.sh # Cron job setup and automation
β βββ utils.sh # Shared colors, logging, error handling
βββ config/
β βββ audit.conf # Main configuration (paths, thresholds)
β βββ email.conf # Email configuration (SMTP, recipient)
βββ reports/
β βββ examples/
β β βββ example_short_report.txt
β β βββ example_full_report.html
β β βββ example_full_report.json
β βββ .gitkeep
βββ logs/
β βββ .gitkeep
βββ docs/
β βββ technical_report.pdf
β βββ design_architecture.md
β βββ screenshots/
βββ tests/
βββ test_hardware.sh
βββ test_software.sh
- OS: Ubuntu 20.04+ or Kali Linux
- Shell: Bash 4.0+
- Privileges: Some commands require
sudo(e.g.,dmidecode)
bash, coreutils, procps, iproute2, util-linux, net-tools/iproute2
systemd, lsblk, lsusb, lspci, df, free, top, ps, ss
sudo apt install msmtp msmtp-mta # Email sending
sudo apt install openssh-client # Remote monitoring
sudo apt install pciutils # GPU info (lspci)
sudo apt install usbutils # USB info (lsusb)git clone https://github.com/kariimdev/linux-audit-system.git
cd linux-audit-systemchmod +x scripts/*.shCopy and edit the configuration file:
# Edit main config
nano config/audit.conf
# Edit email config
nano config/email.confbash scripts/main.shNote: Run as root or with
sudoto access full hardware information (e.g.,dmidecodefor motherboard details).
sudo bash scripts/main.sh# Directory where reports are saved
REPORT_DIR="/var/log/sys_audit"
# CPU usage alert threshold (percentage)
CPU_THRESHOLD=80EMAIL_RECIPIENT="recipient@gmail.com"
EMAIL_SENDER="your_sender@gmail.com"
SMTP_USER="your_sender@gmail.com"
SMTP_PASSWORD="your-app-password"
SMTP_HOST="smtp.gmail.com"
SMTP_PORT="587"The email sender automatically detects available tools in this priority order:
msmtpβsendmailβ
Launch the interactive menu:
bash scripts/main.shYou will be presented with the following menu:
================================================
Linux System Audit & Monitoring Tool
NSCS β Academic Year 2025/2026
================================================
Select an option:
[1] Hardware Audit
[2] Software & OS Audit
[3] Generate Short Report
[4] Generate Full Report
[5] Send Report via Email
[6] Remote Monitoring (SSH)
[7] Compare Two Reports β
Bonus
[8] CPU Alert Check β
Bonus
[9] Verify Log Integrity β
Bonus
[0] Exit
You can also source and call individual modules:
# Run hardware audit
source scripts/utils.sh
source scripts/hardware_audit.sh
hardware_audit
# Generate a short report
source scripts/report_generator.sh
generate_short_report
# Send latest report via email
source scripts/email_sender.sh
send_reportThe tool generates three formats for full reports:
| Format | Filename Pattern | Description |
|---|---|---|
.txt |
full_report_YYYY-MM-DD_HH-MM-SS.txt |
Plain text, terminal-friendly |
.html |
full_report_YYYY-MM-DD_HH-MM-SS.html |
Styled dark-theme web page |
.json |
full_report_YYYY-MM-DD_HH-MM-SS.json |
Machine-readable structured data |
Short reports are saved as .txt only:
short_report_YYYY-MM-DD_HH-MM-SS.txt
All reports are saved to the directory configured in REPORT_DIR (default: /var/log/sys_audit).
See reports/examples/ for sample outputs.
The tool supports three email backends, detected automatically:
-
Install msmtp:
sudo apt install msmtp msmtp-mta
-
Fill in your credentials in
config/email.conf:EMAIL_RECIPIENT="recipient@gmail.com" EMAIL_SENDER="your_sender@gmail.com" SMTP_USER="your_sender@gmail.com" SMTP_PASSWORD="your-google-app-password" SMTP_HOST="smtp.gmail.com" SMTP_PORT="587"
-
Select option [5] from the main menu to send.
No manual
~/.msmtprcfile required! The tool dynamically builds its own temporary configuration fromemail.confat runtime and securely deletes it afterwards.
Gmail users: Generate an App Password β Google does not allow direct account password authentication over SMTP.
Option [6] in the main menu enables:
- Live monitoring β pulls CPU, memory, disk, logged-in users, processes, and open ports from a remote machine via SSH
- Report transfer β copies the latest local report to the remote server via SCP
- Both β performs monitoring then transfers the report
- SSH client installed:
sudo apt install openssh-client - SSH key-based authentication set up on the remote host:
ssh-keygen -t ed25519 -C "audit-tool" ssh-copy-id user@remote_host_ip
On launching option [6], you will be prompted for:
- Remote username (e.g.,
rootorubuntu) - Remote host IP address
The tool tests the connection first, then proceeds if successful. Reports are transferred to /tmp/audit_reports/ on the remote server.
Use scripts/scheduler.sh to automatically set up, manage, or remove the background cron job without having to touch the cron table yourself:
bash scripts/scheduler.sh setup # Installs the automated job
bash scripts/scheduler.sh status # Checks if the job is running
bash scripts/scheduler.sh remove # Deletes the automation safelyTo run a full audit every day at 4:00 AM:
crontab -eAdd the following line:
0 4 * * * /bin/bash /path/to/linux-audit-system/scripts/auto_audit.sh >> /var/log/sys_audit/cron.log 2>&1
Cron execution is logged to logs/audit.log.
Q: My cron job runs but no email is sent!
A: Cron runs in a stripped-down environment where the $PATH variable is practically empty. If you installed msmtp locally, cron might not see it. Our script forces dynamic absolute paths just for this reason, so ensure your daemon is installed globally (sudo apt install msmtp).
Q: The script crashes when I select "Remote Monitoring (Option 6)".
A: This feature explicitly requires passwordless SSH entry via ed25519 or rsa keys. If your system still prompts you to type a password when you SSH into the target box, our script's strict BatchMode=yes flag will instantly reject the connection to prevent your terminal from freezing indefinitely.
Q: My HTML report renders as raw text in my inbox!
A: If you manually tweaked the reporting engine, make sure you didn't accidentally delete the MIME-Version: 1.0 and Content-Type: text/html HTTP headers. Without those exact wrappers underneath the Subject line, Gmail will immediately fallback to displaying raw bracket code.
Q: The audit log says "dmidecode requires root".
A: The tool dmidecode reaches directly into the BIOS/UEFI DMI tables to pull proprietary Motherboard serial schemas. The Linux kernel actively blocks standard unprivileged users from reading this low-level memory block. Run the tool via sudo if you need this data.
Compares two audit report files and highlights differences using diff. Useful for detecting configuration changes or new processes between audit runs.
Reads CPU idle time from top, calculates usage, and compares it against CPU_THRESHOLD from audit.conf. If usage exceeds the threshold:
- Displays a red warning in the terminal
- Logs the alert to
cpu_alerts.log
Uses sha256sum to generate and verify checksums of audit log files, detecting any unauthorized tampering.
| Person | Role | Responsibilities |
|---|---|---|
| Akeb Abdelkarim | Software Audit, Docs & Automation | software_audit.sh, utils.sh, scheduler.sh, config/audit.conf, README.md, Tests, Architecture Docs |
| Kerd Abderrahim | Hardware Audit, Output & Integration | hardware_audit.sh, main.sh, report_generator.sh, email_sender.sh, remote_monitor.sh |
mainbranch β stable, production-ready codefeature/data-collectionβ Person A's working branchfeature/output-communicationβ Person B's working branch- All changes merged to
mainvia Pull Requests
feat: new feature
fix: bug fix
docs: documentation only
chore: configuration, build, maintenance
docs/technical_report.pdfβ Full technical report (3β5 pages)docs/design_architecture.mdβ System design and architecturedocs/screenshots/β Menu interface, cron config, report output screenshots
This project is developed for academic purposes at the National School of Cyber Security (NSCS), Algeria. Not for commercial use.