Become a Linux auditor: tips to start with auditing the Linux platform

This guide helps people new to the Linux platform to get a grasp on how the system works. Whenever you are an IT auditor, or simply want to know more about the basics, this guide helps you in determining where to start an audit.

Processes

Each operating system consists of smaller running processes. In case of Linux this is true as well and can be displayed with the ps tool. Without parameters it will already show some processes, but the list is not complete. To see a full list of running processes, use ps -ef or ps aux.

Users

What would a system be without any users using it? To get a first hint on what users can access the system, check the /etc/passwd file. Additionally the /etc/shadow file will have similar data, including hashed passwords.

Name services

o see what sources are used for name services like DNS, check the contents of the /etc/nsswitch.conf file.

# **cat /etc/nsswitch.conf**
# /etc/nsswitch.conf  
#  
# Example configuration of GNU Name Service Switch functionality.  
# If you have the 'glibc-doc-reference' and 'info' packages installed, try:  
# 'info libc "Name Service Switch"' for information about this file.

passwd:         compat  
group:          compat  
shadow:         compat

hosts:          files dns  
networks:       files

protocols:      db files  
services:       db files  
ethers:         db files  
rpc:            db files

netgroup:       nis

Data storage

Most systems store or process data locally. To determine where data might be present, there are a few utilities handy to help:

/etc/fstab file

The fstab file contains common mount points. While it doesn’t display all mount points, it’s a good start to see what file systems are available.

# cat /etc/fstab  
# /etc/fstab: static file system information.  
#  
# Use 'blkid -o value -s UUID' to print the universally unique identifier  
# for a device; this may be used with UUID= as a more robust way to name  
# devices that works even if disks are added and removed. See fstab(5).  
#  
# <file system> <mount point>   <type>  <options>       <dump>  <pass>  
proc            /proc           proc    defaults        0       0  
# / was on /dev/sda2 during installation  
UUID=7c61eaaa-9d7f-4b17-82a3-99699f331073 /               ext4    errors=remount-ro 0       1  
# swap was on /dev/sda3 during installation  
UUID=e3891483-faed-499d-80e2-0dd7331118cd none            swap    sw              0       0  
/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto,exec,utf8 0       0

/dev/sdb1       /mnt/removable-disk     ext4    noauto,noexec   0       0

mount

Mount displays the active file systems and so called mount points. Commonly a /data mount is available. If not and the root (/) is very big, it might be directory on this system. Another common location is /usr/local, or an external mount point (e.g. NFS server).

# mount  
/dev/sda2 on / type ext4 (rw,errors=remount-ro)  
proc on /proc type proc (rw)  
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)  
none on /sys/fs/fuse/connections type fusectl (rw)  
none on /sys/kernel/debug type debugfs (rw)  
none on /sys/kernel/security type securityfs (rw)  
udev on /dev type devtmpfs (rw,mode=0755)  
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620)  
tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755)  
none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880)  
none on /run/shm type tmpfs (rw,nosuid,nodev)  
rpc\_pipefs on /run/rpc\_pipefs type rpc_pipefs (rw)  
nfsd on /proc/fs/nfsd type nfsd (rw)

lsof

To see all open files, revealing more hints on where data is stored, use the lsof tool (list open files).

COMMAND     PID       USER   FD      TYPE             DEVICE   SIZE/OFF       NODE NAME
init          1       root  cwd       DIR                8,2       4096          2 /
init          1       root  rtd       DIR                8,2       4096          2 /
init          1       root  txt       REG                8,2     167192     136565 /sbin/init
init          1       root  mem       REG                8,2      52120    1975156 /lib/x86_64-linux-gnu/libnss_files-2.15.so
init          1       root  mem       REG                8,2      47680    1975160 /lib/x86_64-linux-gnu/libnss_nis-2.15.so
init          1       root  mem       REG                8,2      97248    1975172 /lib/x86_64-linux-gnu/libnsl-2.15.so
init          1       root  mem       REG                8,2      35680    1975154 /lib/x86_64-linux-gnu/libnss_compat-2.15.so
init          1       root  mem       REG                8,2    1815224    1975152 /lib/x86_64-linux-gnu/libc-2.15.so
init          1       root  mem       REG                8,2      31752    1975159 /lib/x86_64-linux-gnu/librt-2.15.so
init          1       root  mem       REG                8,2     135366    1975161 /lib/x86_64-linux-gnu/libpthread-2.15.so
init          1       root  mem       REG                8,2     276392    1966987 /lib/x86_64-linux-gnu/libdbus-1.so.3.5.8
init          1       root  mem       REG                8,2      38888    1967542 /lib/x86_64-linux-gnu/libnih-dbus.so.1.0.0
init          1       root  mem       REG                8,2      96240    1967544 /lib/x86_64-linux-gnu/libnih.so.1.0.0
init          1       root  mem       REG                8,2     149280    1975164 /lib/x86_64-linux-gnu/ld-2.15.so
init          1       root    0u      CHR                1,3        0t0       5793 /dev/null
init          1       root    1u      CHR                1,3        0t0       5793 /dev/null
init          1       root    2u      CHR                1,3        0t0       5793 /dev/null

Installed software

No system can run without software. Linux based systems do often have pre-installed packages to form a minimal base. Common examples are tools like grep, cut and awk. Additionally, network based services might be installed during the installation.

Debian/Ubuntu: dpkg -l

RedHat/CentOS: rpm -qa

Automation

While manually checking traces on a system is fine, automation is even better. It saves time, effort and improves the quality of an audit. Where needed, manual checks can still be an extension of an automated audit. Combining both will improve the audit even more.

Within this range of articles we already shared our tool Lynis. In case you didn’t use it yet, this might be the time to become an auditor in only a few minutes. Lynis is free and open source, used by many professionals and contains over 250 individual tests. Consider only the time if you would need to check everything manually!

We hope this article gave you some new insights. Want to know more about a particular subject? Let us known via the about section!

Relevant commands in this article

Like to learn more about the commands that were used in this article? Have a look, for some there is also a cheat sheet available.

  • dpkg
  • lsofcheat sheet
  • mount
  • ps
  • rpm

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon