What is a security audit?
What is a security audit?
In the world of compliance, reported break-ins on the news and many security incidents, it’s common to see a security audit showing up sooner or later. Still, many people in our field don’t like them. But what is a security audit and why should we actually embrace them?
Auditing has a simple goal: check if something is configured according to best practices, a baseline or a preferred state. In an ideal situation these values are all the same and part of a properly taken decision. The reason to audit is to discover any exceptions, weaknesses and determine where there is room for improvement.
Types of auditing
One of the common types of auditing is to check processes to determine weaknesses or room for improvement. Within the field of IT auditors usually check on the ITIL processes is an
The other spectrum of audits check for the technical details of systems.
Check for weaknesses in configurations, outdated software. This type of software can reveal many weaknesses in an environment. Depending on the tool it can overwhelm system administrators, not knowing where to start fixing. A common “tool” to reduce the amount of vulnerabilities is to perform hardening and software patching.
Perform similar steps as blackhat hackers to break-in, however within ethical boundaries (no destruction, leakage etc). This type of audit is usually used before big projects go live, or to retest existing environments, especially when a lot of sensitive data is stored or processed.
Negative or positive?
Since audits tends to be strict (or carefully and in-depth), the discovered items are usually less appreciated by people who take care of the related systems. Still, auditing is the process of determining what can be done and system administrators (or managers) should not feel offended by any discovered items. It’s an ongoing process to help improving the environment and definitely not about “blaming” people.
Managers and system administrators should consider an audit as a health check of their environment. Any discovered items can be seen as something to further improve the existing environment. In some cases it can even help in gaining the required budget to finally purchase that automation tool, or vulnerability scanner and do self-scans! Instead of avoiding audits, it might be better to embrace them and actually learn something from the results.
Security auditing for Linux
Since this blog is about auditing the Linux and Unix platform, we can’t forget to speak about our open source auditing tool Lynis. Licensed under GPLv3, it’s free to use and runs on almost all Unix and Linux based systems. It detects vulnerabilities in system configurations, missing security patches or possible improvements in applications and its configuration files.
Lynis is an audit tool (vulnerability scanner), helping system administrators, security professionals and auditors. Proper follow-up includes hardening and retesting of system configurations and applications.