Become a Linux auditor: tips to start with auditing the Linux platform
This guide helps people new to the Linux platform to get a grasp on how the system works. Whenever you are an IT auditor, or simply want to know more about the basics, this guide helps you in determining where to start an audit.
Processes
Each operating system consists of smaller running processes. In case of Linux this is true as well and can be displayed with the ps tool. Without parameters it will already show some processes, but the list is not complete. To see a full list of running processes, use ps -ef or ps aux.
Users
What would a system be without any users using it? To get a first hint on what users can access the system, check the /etc/passwd file. Additionally the /etc/shadow file will have similar data, including hashed passwords.
Name services
o see what sources are used for name services like DNS, check the contents of the /etc/nsswitch.conf file.
# **cat /etc/nsswitch.conf**
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the 'glibc-doc-reference' and 'info' packages installed, try:
# 'info libc "Name Service Switch"' for information about this file.
passwd: compat
group: compat
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Data storage
Most systems store or process data locally. To determine where data might be present, there are a few utilities handy to help:
/etc/fstab file
The fstab file contains common mount points. While it doesn’t display all mount points, it’s a good start to see what file systems are available.
# cat /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid -o value -s UUID' to print the universally unique identifier
# for a device; this may be used with UUID= as a more robust way to name
# devices that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
# / was on /dev/sda2 during installation
UUID=7c61eaaa-9d7f-4b17-82a3-99699f331073 / ext4 errors=remount-ro 0 1
# swap was on /dev/sda3 during installation
UUID=e3891483-faed-499d-80e2-0dd7331118cd none swap sw 0 0
/dev/scd0 /media/cdrom0 udf,iso9660 user,noauto,exec,utf8 0 0
/dev/sdb1 /mnt/removable-disk ext4 noauto,noexec 0 0
mount
Mount displays the active file systems and so called mount points. Commonly a /data mount is available. If not and the root (/) is very big, it might be directory on this system. Another common location is /usr/local, or an external mount point (e.g. NFS server).
# mount
/dev/sda2 on / type ext4 (rw,errors=remount-ro)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
none on /sys/fs/fuse/connections type fusectl (rw)
none on /sys/kernel/debug type debugfs (rw)
none on /sys/kernel/security type securityfs (rw)
udev on /dev type devtmpfs (rw,mode=0755)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620)
tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755)
none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880)
none on /run/shm type tmpfs (rw,nosuid,nodev)
rpc\_pipefs on /run/rpc\_pipefs type rpc_pipefs (rw)
nfsd on /proc/fs/nfsd type nfsd (rw)
lsof
To see all open files, revealing more hints on where data is stored, use the lsof tool (list open files).
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
init 1 root cwd DIR 8,2 4096 2 /
init 1 root rtd DIR 8,2 4096 2 /
init 1 root txt REG 8,2 167192 136565 /sbin/init
init 1 root mem REG 8,2 52120 1975156 /lib/x86_64-linux-gnu/libnss_files-2.15.so
init 1 root mem REG 8,2 47680 1975160 /lib/x86_64-linux-gnu/libnss_nis-2.15.so
init 1 root mem REG 8,2 97248 1975172 /lib/x86_64-linux-gnu/libnsl-2.15.so
init 1 root mem REG 8,2 35680 1975154 /lib/x86_64-linux-gnu/libnss_compat-2.15.so
init 1 root mem REG 8,2 1815224 1975152 /lib/x86_64-linux-gnu/libc-2.15.so
init 1 root mem REG 8,2 31752 1975159 /lib/x86_64-linux-gnu/librt-2.15.so
init 1 root mem REG 8,2 135366 1975161 /lib/x86_64-linux-gnu/libpthread-2.15.so
init 1 root mem REG 8,2 276392 1966987 /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8
init 1 root mem REG 8,2 38888 1967542 /lib/x86_64-linux-gnu/libnih-dbus.so.1.0.0
init 1 root mem REG 8,2 96240 1967544 /lib/x86_64-linux-gnu/libnih.so.1.0.0
init 1 root mem REG 8,2 149280 1975164 /lib/x86_64-linux-gnu/ld-2.15.so
init 1 root 0u CHR 1,3 0t0 5793 /dev/null
init 1 root 1u CHR 1,3 0t0 5793 /dev/null
init 1 root 2u CHR 1,3 0t0 5793 /dev/null
Installed software
No system can run without software. Linux based systems do often have pre-installed packages to form a minimal base. Common examples are tools like grep, cut and awk. Additionally, network based services might be installed during the installation.
Debian/Ubuntu: dpkg -l
RedHat/CentOS: rpm -qa
Automation
While manually checking traces on a system is fine, automation is even better. It saves time, effort and improves the quality of an audit. Where needed, manual checks can still be an extension of an automated audit. Combining both will improve the audit even more.
Within this range of articles we already shared our tool Lynis. In case you didn’t use it yet, this might be the time to become an auditor in only a few minutes. Lynis is free and open source, used by many professionals and contains over 250 individual tests. Consider only the time if you would need to check everything manually!
We hope this article gave you some new insights. Want to know more about a particular subject? Let us known via the about section!
