Become a Linux Auditor: What to know?

Linux Auditor: What to know?

Now open source software and platforms are very common, the need for knowledge in this area is increasing. Becoming a technical auditor with specialized knowledge about Linux, might be a clever move.


When specializing in Linux, the auditing area is already more technically oriented, instead of the processes. A true Linux auditor knows more than the basics of Linux. In-depth knowledge is required, like what file systems are common, how permissions are arranged, popular applications are common (at the presentation layer, middleware, backend).


Since most applications are used over and over, focusing on those is very helpful. Think about Apache, MySQL, PHP (LAMP stack), but also emerging alternatives. For example Nginx is a nice example of software taking its share in the area of web servers.

Users and Permissions

For each system where users can log in and auditor should be able to know who they are and what they can do. Not personally of course, but regarding identity and access management (IAM)

Network processes

To determine additional risks, focusing on network communications is useful. Starting with all daemons listening on a network interface and zooming in on server configurations. Additionally having knowledge and experience with iptables (or alternatives) is of value for one being a real Linux auditor.


The CISA (Certified Information Systems Auditor) certification from ISACA is the one you definitely should have. It provides the basics and more of the auditing profession. Additionally technical certifications will be useful, like the ones from LPI (LPIC-1, LPIC-2 and LPIC-3). Also Comptia (Linux+) is an alternative, but more generic. For specialization in Red Hat, one might even become RHCE to truly understand how Linux systems, with Red Hat in particular, are working.


Lynis (Linux/Unix auditing tool) screenshot

Screenshot of a Unix security audit performed with Lynis.

Knowing your tools is usually the key of making your life easier. Why do everything manually when specialized tools can do the trick? Use port scanners like nmap to scan the network, IDS set-ups like Snort to monitor for suspicious traffic. What about the auditing tool for a Linux auditor? Of course, our tool Lynis to help you performing an in-depth scan of Linux security.

Many pentesting distributions will be of help for seasoned Linux professionals, by combining all powerful tools into one system. No need for manual installation, as many tools are already installed and grouped per category.

Happy auditing!


One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package

Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.