| name | security-audit |
| description | Audit host security using built-in system tools (netstat, lsof, ss, ufw, systemctl, ps, who, last). Check open ports, running services, listening processes, firewall rules, and recent logins. No external CLI needed. Use when user says "security audit", "check open ports", "harden server", or "what's listening on my machine".
|
| allowed-tools | ["Bash","Read","Write"] |
| model | haiku |
| user-invocable | true |
| when_to_use | When user wants to audit host security, check for open ports, review running services, inspect firewall rules, or assess overall system risk. Triggers: "security audit", "open ports", "what's listening", "check firewall", "harden my server", "who's logged in", "suspicious processes", "security check".
|
| argument-hint | <scope: full|ports|services|firewall|logins|processes> |
Security Audit
Audit host security using built-in system tools. No external tools required —
uses netstat, lsof, ss, ufw/iptables, systemctl, ps, who, and last.
Prerequisites
No install needed. All tools are standard on macOS and Linux.
For Linux firewall checks, ufw or iptables must be available. On macOS, pf is used.
Commands
Open Ports & Listening Processes
ss -tlnp
netstat -an | grep LISTEN
lsof -i -P -n | grep LISTEN
Running Services (Linux)
systemctl list-units --type=service --state=running
systemctl status sshd
Firewall Rules
sudo ufw status verbose
sudo iptables -L -n -v
sudo pfctl -s rules
Active Logins & Recent Access
who
last -20
sudo grep "Failed password" /var/log/auth.log | tail -20
log show --predicate 'eventMessage contains "Failed password"' --last 1h
Running Processes
ps aux --sort=-%cpu | head -20
ps aux | grep -v grep | awk '{print $1,$11}' | sort -u
File Permissions & SUID Binaries (Linux)
find / -perm /4000 -type f 2>/dev/null
find /tmp /var /etc -perm -o+w -type d 2>/dev/null
Usage Examples
Full security snapshot:
echo "=== LISTENING PORTS ===" && lsof -i -P -n | grep LISTEN
echo "=== ACTIVE LOGINS ===" && who
echo "=== RECENT LOGINS ===" && last -10
echo "=== RUNNING SERVICES ===" && (systemctl list-units --type=service --state=running 2>/dev/null || echo "systemctl not available")
Quick port exposure check:
lsof -i -P -n | grep LISTEN | awk '{print $1, $9}' | sort -u
Rules
- Always run commands as current user; if
sudo is needed, note it but don't auto-run
- Never modify firewall rules or kill processes without explicit user confirmation
- Summarize findings into risk levels: Critical / High / Medium / Low / Info
- Save full audit output to
workspace/security-audit-<date>.md
- Flag any port listening on
0.0.0.0 or :: (all interfaces) as higher risk than localhost-only
- Highlight: unexpected listening ports, unknown processes, recent failed logins, world-writable dirs
- macOS vs Linux: detect with
uname -s and use appropriate commands
- Keep final report concise: executive summary + categorized findings + recommended actions