Conducting a Linux Server Security Audit

Auditing a system can be a time-consuming job, which is no different when conducting a Linux server security audit. Within this article, we give some highlights regarding the audit and tips to automate them by using Lynis.

The business goal

Before auditing any system, determine the business goal of the system. How critical is this system for doing business? What if the system goes down?

Usually each system has a clear role or multiple roles, like being a web server. This also determines what users might access this system, what network communication is allowed and how data needs to be protected.


Depending on the role of the system, system administrators will always have access to the system. Besides these administrators, functional and normal users might have access to the system as well.

First thing to assess is how users can access the system and what authentication back-end is being used. Most systems however, still use the local back-end (passwd and shadow file). If it’s clear how users can be authenticated, the next step is to determine who can access the system and why. Users who can access the system, but have no clear business reason for being able to do so, should be flagged.

Network configuration

Systems have to be connected to the network to transmit, store and process data. Proper network configuration, traffic filtering and logging should be in place.


Per system the network configuration should be determined. Information of interest includes the IP address, netmask, gateway, allow bridged networks and in what network segments or network zone this system is active.

Listening ports

Network services open a dedicated network port to listen on. Auditing these services (e.g. with netstat -nlp) will give insights on what services are active and if they are in line with the business purpose of the system.


To make sure only allowed connections may occur, a firewall with a default “deny all” policy could be implemented. The more critical and sensitive the data, the less amount of systems should be able to communicate with the system.

More: audit guide for the Linux network configuration

Software packages

Every system can only do its job properly with additional installed software packages. Special attention to be given to the way software is upgraded, with focus on the security updates. The upgrading of systems and software is common within company security policies, yet often it’s not properly implemented.

Steps to audit include checking the installed packages, processes which are started during boot and active services which are available via the network.

File permissions

Depending on the role of the system, data might be stored on the system. One important part is determining what data is stored and its sensitivity. Again with determining which users can access the system, the same has to be checked regarding the access to (sensitive) data.

Another area of interest are files without proper ownership, like missing their owner or related group. Also binaries with their SetUID or SetGID bit set, might be of interest to determine proper hardening of the system.

Log files

For auditing and accounting purposes, log files are usually the best location to determine what has occurred. For this same reason log files should be properly stored, protected and rotated. Start by determining if all required calls and actions are properly logged. Special focus should go to the main applications dealing with users and data.

Remote logging is a powerful method to safeguard the alteration of log files. Malicious people or insiders might adjust logging to hide their traces. Remote logging makes the protection of valuable events (or proof) easier. Security incident and event management, or SIEM solutions can help with this goal. To check if remote logging is used, check the syslog configuration.


While malware on Linux systems is less common than other platforms, it does exist. Especially backdoors, malicious scripts and rootkits can be found in the field. To detect this kind of malware use a scanner like ClamAV, LMD, Rootkit Hunter or a commercial virus scanner.


Manual auditing is very time consuming and prone to missing important details. Therefore we suggest to use Lynis to audit a system in a matter of minutes. After the audit it becomes quickly clear what areas need more focus, like the ones mentioned in this article.

For companies and auditors we suggest to use the Lynis Enterprise Suite, a total solution to do continuous audits. Besides the power of Lynis, it can also report on the most critical controls, provide a customized implementation plan (based on effort and risk) and do more in-depth audits with the use of additional plugins.

Useful commands

Show packages

  • rpm -qa
  • dpkg -l

Network services

  • ss -plant (show listening services, replacement for netstat)
  • netstat -nlp (show listening services, for older systems)

Take the next step!

Want to learn more about Linux security? Have a look at the open source tool Lynis and become a Linux security expert yourself.

Lynis is a battle-tested technical security audit tool. It is open source, freely available, and used by system administrators all over the world. Other users include IT auditors, security professionals, like pentesters.

Tool Information

Visit project page
Screenshot of Lynis security tool