What is a security audit?

What is a security audit?

In the world of compliance, reported break-ins on the news and many security incidents, it’s common to see a security audit showing up sooner or later. Still, many people in our field don’t like them. But what is a security audit and why should we actually embrace them?

Why audit?

Auditing has a simple goal: check if something is configured according to best practices, a baseline or a preferred state. In an ideal situation these values are all the same and part of a properly taken decision. The reason to audit is to discover any exceptions, weaknesses and determine where there is room for improvement.

Types of auditing

Process

One of the common types of auditing is to check processes to determine weaknesses or room for improvement. Within the field of IT auditors usually check on the ITIL processes is an

Technical auditing

The other spectrum of audits check for the technical details of systems.

Vulnerability scanning

Check for weaknesses in configurations, outdated software. This type of software can reveal many weaknesses in an environment. Depending on the tool it can overwhelm system administrators, not knowing where to start fixing. A common “tool” to reduce the amount of vulnerabilities is to perform hardening and software patching.

Penetration testing

Perform similar steps as blackhat hackers to break-in, however within ethical boundaries (no destruction, leakage etc). This type of audit is usually used before big projects go live, or to retest existing environments, especially when a lot of sensitive data is stored or processed.

Negative or positive?

Since audits tends to be strict (or carefully and in-depth), the discovered items are usually less appreciated by people who take care of the related systems. Still, auditing is the process of determining what can be done and system administrators (or managers) should not feel offended by any discovered items. It’s an ongoing process to help improving the environment and definitely not about “blaming” people.

Managers and system administrators should consider an audit as a health check of their environment. Any discovered items can be seen as something to further improve the existing environment. In some cases it can even help in gaining the required budget to finally purchase that automation tool, or vulnerability scanner and do self-scans! Instead of avoiding audits, it might be better to embrace them and actually learn something from the results.

Security auditing for Linux

Lynis (Linux/Unix auditing tool) screenshot

Screenshot of a security scan performed with Lynis.

Since this blog is about auditing the Linux and Unix platform, we can’t forget to speak about our open source auditing tool Lynis. Licensed under GPLv3, it’s free to use and runs on almost all Unix and Linux based systems. It detects vulnerabilities in system configurations, missing security patches or possible improvements in applications and its configuration files.

Lynis is an audit tool (vulnerability scanner), helping system administrators, security professionals and auditors. Proper follow-up includes hardening and retesting of system configurations and applications.

One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package




Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.


Download