Security Engineers don't just find problems. They design and build systems that prevent them. This project is about building a tool that takes a fresh Linux machine and hardens it to a known security standard, automatically.

CIS (Center for Internet Security) Benchmarks are industry-standard checklists for securing operating systems. They cover hundreds of settings: password policies, file permissions, kernel parameters, network configuration, logging, and more. Manually checking all of these is tedious and error-prone, which is exactly why Security Engineers automate it.

The framework runs as a set of Python scripts against Linux VMs (Ubuntu/Debian) running in VirtualBox. Each module handles a different security domain: one configures iptables firewall rules to restrict network traffic, another enforces file permission standards, another sets up proper logging with rsyslog, and another audits user accounts and SSH configuration.

After running, the framework generates a compliance report: a summary of what was checked, what passed, what failed, and what was automatically fixed. This is the same kind of output that internal security teams produce during hardening reviews.

The project also includes a "drift detection" mode that can be run periodically to check if a previously hardened system has drifted from its secure baseline, a common real-world requirement.

How to harden Linux systems following industry-standard benchmarks (CIS). How to write Python automation for security operations. How iptables firewall rules, file permissions, SSH configuration, and logging work at a deep level. How to build tooling that other engineers can use, designing for reusability, not just one-off scripts. How Security Engineers think about compliance and system baselines.

Security Engineers build and design security systems. They don't just operate them. This role exists at every major tech company (Amazon, Microsoft, Google) and is hard to automate because it requires understanding complex systems, making architectural trade-offs, and building tools that work across different environments. This project demonstrates the "builder" mindset that distinguishes Security Engineers from analysts.

Python • Linux (Ubuntu/Debian) • CIS Benchmarks • iptables • rsyslog • SSH • Bash • VirtualBox