Become a Linux Auditor: What to know?

Linux Auditor: What to know?

Now open source software and platforms are very common, the need for knowledge in this area is increasing. Becoming a technical auditor with specialized knowledge about Linux, might be a clever move.


When specializing in Linux, the auditing area is already more technically oriented, instead of the processes. A true Linux auditor knows more than the basics of Linux. In-depth knowledge is required, like what file systems are common, how permissions are arranged, popular applications are common (at the presentation layer, middleware, backend).


Since most applications are used over and over, focusing on those is very helpful. Think about Apache, MySQL, PHP (LAMP stack), but also emerging alternatives. For example Nginx is a nice example of software taking its share in the area of web servers.

Users and Permissions

For each system where users can log in and auditor should be able to know who they are and what they can do. Not personally of course, but regarding identity and access management (IAM)

Network processes

To determine additional risks, focusing on network communications is useful. Starting with all daemons listening on a network interface and zooming in on server configurations. Additionally having knowledge and experience with iptables (or alternatives) is of value for one being a real Linux auditor.


The CISA (Certified Information Systems Auditor) certification from ISACA is the one you definitely should have. It provides the basics and more of the auditing profession. Additionally technical certifications will be useful, like the ones from LPI (LPIC-1, LPIC-2 and LPIC-3). Also Comptia (Linux+) is an alternative, but more generic. For specialization in Red Hat, one might even become RHCE to truly understand how Linux systems, with Red Hat in particular, are working.


Lynis (Linux/Unix auditing tool) screenshot

Screenshot of a Unix security audit performed with Lynis.

Knowing your tools is usually the key of making your life easier. Why do everything manually when specialized tools can do the trick? Use port scanners like nmap to scan the network, IDS set-ups like Snort to monitor for suspicious traffic. What about the auditing tool for a Linux auditor? Of course, our tool Lynis to help you performing an in-depth scan of Linux security.

Many pentesting distributions will be of help for seasoned Linux professionals, by combining all powerful tools into one system. No need for manual installation, as many tools are already installed and grouped per category.

Happy auditing!


Automate security audits with Lynis and Lynis Enterprise
Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series to get Linux (and Unix-based) systems more secure.

Daily security checks

Want to go to the next level of security scanning and system hardening? Start with automated security scans for Linux: Lynis and Lynis Enterprise.

Automate Scanning »