dotlinux guide

Your First Linux Security Audit: What to Expect

Linux powers everything from personal laptops to enterprise servers, cloud infrastructure, and embedded systems. Its open-source nature and flexibility make it a top choice, but with great power comes great responsibility—specifically, the need to secure it. A Linux security audit is a systematic process of evaluating your system’s security posture to identify vulnerabilities, misconfigurations, and compliance gaps. Whether you’re a system administrator, developer, or hobbyist, understanding how to conduct your first Linux security audit is critical to protecting your systems. This blog will guide you through the fundamentals of a Linux security audit, what to expect, practical steps, tools, and best practices to ensure your audit is effective and actionable.

Table of Contents

What is a Linux Security Audit?

A Linux security audit is a structured assessment of a Linux system’s security controls, configurations, and practices. Its goals include:

  • Identifying vulnerabilities (e.g., outdated software, misconfigured permissions).
  • Ensuring compliance with security policies (e.g., CIS Benchmarks, GDPR).
  • Verifying the effectiveness of existing security measures (e.g., firewalls, logging).
  • Mitigating risks before they’re exploited by attackers.

Audits can be automated (using tools) or manual (hands-on inspection), but most combine both. For beginners, starting with automated tools and supplementing with manual checks is the best approach.

Pre-Audit Preparation

Before diving into the audit, lay the groundwork to ensure efficiency and accuracy:

1. Define Scope & Goals

  • What systems will you audit? (e.g., a single server, a fleet of VMs, or a network segment).
  • What aspects matter most? (e.g., user access, network ports, or malware).
  • Compliance requirements? (e.g., CIS, HIPAA, or internal policies).

2. Gather Tools & Permissions

  • Tools: Install essential audit tools (see Tools for Your Audit).
  • Permissions: Ensure you have sudo or root access to run privileged checks (e.g., scanning logs, checking SUID files).
  • Documentation: Have system diagrams, asset lists, and baseline configurations (e.g., expected services, user roles).

3. Plan for Remediation

Audits reveal issues—prepare a process to prioritize and fix them (e.g., critical vs. low-risk vulnerabilities).

Core Components of a Linux Security Audit

Let’s break down the key areas to audit, with actionable commands and examples.

System Hardening & OS Integrity

Ensure the operating system is configured securely and hasn’t been tampered with.

Key Checks:

  • OS Version & Updates: Verify the OS is up-to-date to patch known vulnerabilities.

    # Check OS version
lsb_release -a  # Debian/Ubuntu
cat /etc/os-release  # Generic Linux

# Check for pending updates
sudo apt update && sudo apt list --upgradable  # Debian/Ubuntu
sudo dnf check-update  # RHEL/CentOS/Fedora

  • File Permissions: Misconfigured permissions (e.g., world-writable /etc/passwd) are a common risk.

    # Check critical file permissions
ls -l /etc/passwd /etc/shadow /etc/sudoers

# Find world-writable files (excluding /proc and /sys)
find / -type f -perm -0002 ! -path "/proc/*" ! -path "/sys/*" 2>/dev/null

# Find SUID/SGID files (run with root privileges)
find / -perm -4000 -o -perm -2000 2>/dev/null  # SUID (4000) or SGID (2000)

    Why? SUID files run with the owner’s privileges (often root), so a vulnerable SUID binary can lead to privilege escalation.

  • Immutable Files: Ensure critical files (e.g., /etc/passwd) can’t be modified accidentally.

    # Check if a file is immutable (lsattr requires root)
sudo lsattr /etc/passwd

    Note: Immutable files show i in the output (e.g., ----i--------e-- /etc/passwd).

User & Access Control

Weak user management is a leading cause of breaches. Audit user accounts, passwords, and sudo access.

Key Checks:

  • User Accounts: Identify orphaned accounts, unnecessary users, or UID 0 (root) users.

    # List all users
cat /etc/passwd | cut -d: -f1

# Check for UID 0 users (other than root)
cat /etc/passwd | awk -F: '$3 == 0 {print $1}'

# Find inactive users (e.g., not logged in for 90+ days)
lastlog | grep -v "Never logged in" | awk '$4 < (date +%Y-%m-%d -d "90 days ago" | cut -d- -f3)'

  • Password Policies: Ensure strong passwords and expiration rules.

    # Check password policies (Debian/Ubuntu)
cat /etc/login.defs | grep -E 'PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_WARN_AGE'

# Check a user’s password expiration
chage -l username  # Replace "username" with the actual user

    Goal: PASS_MAX_DAYS should be ≤ 90, PASS_MIN_DAYS ≥ 1, and PASS_WARN_AGE ≥ 7.

  • Sudo Access: Audit who can run commands as root.

    # Check sudoers configuration (use visudo to edit safely)
sudo visudo  # Or view with: sudo cat /etc/sudoers /etc/sudoers.d/*

    Red Flag: Lines like username ALL=(ALL) NOPASSWD: ALL grant unrestricted sudo access without a password.

Network Security

Linux systems often act as servers, so securing network interfaces, ports, and services is critical.

Key Checks:

  • Open Ports & Listening Services: Identify unnecessary open ports.

    # List open TCP/UDP ports (ss is modern; netstat is deprecated)
ss -tuln  # t: TCP, u: UDP, l: listening, n: numeric (no DNS)

# Map ports to services (requires root for process info)
sudo ss -tulnp

    Example Output: tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=123,fd=3)) (sshd on port 22 is expected; unknown ports need investigation).

  • Firewall Rules: Verify the firewall is active and blocking unwanted traffic.

    # Check UFW status (Debian/Ubuntu)
sudo ufw status verbose

# Check iptables (RHEL/CentOS or advanced setups)
sudo iptables -L -v

    Best Practice: Only allow essential ports (e.g., 22 for SSH, 443 for HTTPS).

  • Running Services: Disable unused services (e.g., Telnet, FTP).

    # List enabled services (systemd systems)
systemctl list-unit-files --type=service --state=enabled

# Stop and disable a service (e.g., telnet)
sudo systemctl stop telnet.service
sudo systemctl disable telnet.service

Logging & Monitoring

Logs are your audit trail—ensure they’re collected, stored, and monitored.

Key Checks:

  • Log Files: Verify critical logs (e.g., authentication, kernel) are intact.

    # Check auth logs (login attempts, sudo usage)
sudo tail /var/log/auth.log  # Debian/Ubuntu
sudo tail /var/log/secure  # RHEL/CentOS/Fedora

# Check for failed login attempts
grep "Failed password" /var/log/auth.log | wc -l

  • Audit Daemon (auditd): The auditd service tracks system calls (e.g., file modifications, user logins).

    # Check if auditd is running
sudo systemctl status auditd

# View recent audit logs
sudo ausearch -m USER_LOGIN  # Search for user login events

Malware & Vulnerability Scanning

Even Linux isn’t immune to malware (e.g., ransomware, rootkits). Use tools to scan for threats.

Key Tools:

  • Lynis (Vulnerability Scanner): Open-source tool that checks for misconfigurations and vulnerabilities.

    # Install Lynis (Debian/Ubuntu)
sudo apt install lynis

# Run a system audit
sudo lynis audit system

    Example Output: Lynis will flag issues like “Insecure permissions on /tmp” or “Missing firewalld rules” with severity scores (e.g., “LOW”, “MEDIUM”, “HIGH”).

  • ClamAV (Antivirus): Scans for malware (e.g., trojans, viruses).

    # Install ClamAV (Debian/Ubuntu)
sudo apt install clamav clamav-daemon

# Update virus definitions
sudo freshclam

# Scan the system (exclude /sys and /proc)
sudo clamscan -r / --exclude-dir=/sys --exclude-dir=/proc

  • rkhunter (Rootkit Scanner): Detects rootkits (malware that hides itself).

    # Install rkhunter (Debian/Ubuntu)
sudo apt install rkhunter

# Update and scan
sudo rkhunter --update --checkall

Tools for Your Audit

ToolPurposeUse Case
LynisVulnerability & misconfiguration scanningBaseline system audit
ClamAVMalware scanningDetecting viruses/trojans
rkhunterRootkit detectionHunting hidden malware
auditdLogging system callsTracking file modifications, logins
ss/netstatNetwork port scanningIdentifying open ports/services
ufw/iptablesFirewall configurationVerifying network rules
chagePassword expirationChecking user password policies

Common Practices & Pitfalls

Common Practices:

  • Start Small: Audit one system first, then scale to others.
  • Document Findings: Use a spreadsheet or tool (e.g., Trello) to track issues and fixes.
  • Prioritize Risks: Fix high-severity issues (e.g., open SSH port with password auth) before low-severity ones (e.g., outdated man pages).

Common Pitfalls:

  • Ignoring Logs: Logs often reveal early signs of compromise (e.g., repeated failed logins).
  • Overlooking Hidden Services: Services like cron jobs or systemd timers can run malicious code—check crontab -l and systemctl list-timers.
  • Skipping Updates: Outdated software (e.g., OpenSSL with Heartbleed) is a major risk.

Best Practices

  • Automate Audits: Use cron jobs to run Lynis or ClamAV weekly and email reports.

    # Example cron job (run Lynis every Sunday at 3 AM)
echo "0 3 * * 0 root /usr/bin/lynis audit system > /var/log/lynis-report-$(date +\%Y\%m\%d).log" | sudo tee -a /etc/crontab

  • Follow CIS Benchmarks: The CIS Linux Benchmarks provide industry-standard security guidelines.

  • Least Privilege: Restrict user and service permissions (e.g., don’t run web servers as root).

  • Backup Logs: Store logs off-system (e.g., using rsyslog or a SIEM tool) to prevent tampering.

Conclusion

Your first Linux security audit may feel overwhelming, but breaking it into components (system hardening, user access, network security, etc.) makes it manageable. Start with tools like Lynis to automate checks, then dive deeper into manual reviews of critical areas like file permissions and user accounts. Remember: audits are not one-time events—regularly repeat the process to stay ahead of evolving threats.

By following this guide, you’ll gain confidence in securing your Linux systems and build a foundation for more advanced security practices.

References