Linux Server Auditing

by May 25, 2018

Linux Server Auditing

by May 25, 2018


A server is a computer hardware or program which provides services to another computer hardware or program, known as the client (and in turn, to its users). Mostly server and client will reside in separate computing systems or hardware (in which case it can be on similar computing system), where the client accesses the server via a network by means of a client-server architecture (where each system in a computing network is either a client or a server; client requests services from servers, which will be provided by the respected server to the requested client through server responses.).

Operating System (OS) is a system software for managing a computing system’s hardware and software resources as well as providing common services to its computer programs; Application programs are written on top of OS. Server Operating System or Server OS, is the OS designed to run on servers. Application programs on servers run on top of this software layer known as Server OS in the server. Server OS helps in facilitating server roles (like Web Server, Mail Server, File Server, Database Server, Application Server, Print Server).  Some of the popular Server OS are Windows Server, Mac OS X Server, Linux versions like RHEL (Red Hat Enterprise Linux) as well as SUSE Linux Enterprise Server.

From all these, it is pretty clear that servers are the most critical entity of a computing system. So, ensuring server’s security and maintenance should be given high priority. Today, business success heavily depends on Information system efficacy and so, ensuring information systems security has become a vital function for enterprises as well. All these show the importance of ‘Server Auditing’.

‘Server Auditing’ constitutes the tasks for ensuring platform level security in an IT infrastructure and to ensure proper server security configuration. Server auditing is needed for inventory purpose, budget planning, capability analysis, disaster recovery, security, compliance, etc..


Here, let’s see an overview of ‘Linux Server Auditing’ –

Linux OS has its own security configuration and management system to address the security requirements in an enterprise environment. For easier system security assurance, System Administrators will be configuring the Linux system. Then, Information System Auditors (IS Auditors) will check the configuration as per auditing standards to ensure information system security.

Like any other server auditing process, major concerns in Linux Server audit also are :

  • Business goal of the system (to understand how critical the intended system is, who all need to access it & how its data need to be protected).
  • Server details like – Server Location, Model, Serial Number, Name, Speed of its CPU, Memory, Server Disc Space.
  • User details (accessibility details like who has server root access, etc.) & user privilege details (special privileges given, if any).


The following can be listed as the assessments to be done in a Linux (or any) Server audit :

  1. User Assessment  – Depending upon their roles, users access systems. Things which are under consideration in user assessment are,

      Step 1. Accessibility & Authentication details – Details of how servers are accessed, authentication back-end.

      Step 2. Who all have access & why they have given accessibility – Users who have the accessibility without any

business reason can be kept out.

  1. Network Assessment – A proper network is a basic requirement for system communication.

      Step  1. Network Configuration – Network configuration of every system should be determined. Major information to

be noted are- IP address, netmask, gateway as well as details of network system/ zone in which a particular system is


      Step  2. Network Service Auditing – Network services must be audited to know which all services are active as well as

to determine whether these active network services are in line with the business requirements of the system.

     Step  3. Firewall Implementation – According to how critical/sensitive the data carried by a system, the number of

other systems able to communicate with it should be regulated. Firewalls can be used effectively for this (for

example, Firewall with ‘deny all’ policy can be implemented to make it sure that only allowed connections can


  1. Software Assessment – Every system effectively does its duties with the help of additional software packages.

      Step  1.  Software upgradations must be done with separate and special attention.

      Step  2.  Put security in high priority while doing software upgradations.

      Step  3.  Ensure that software upgradations are in compliance with company security policies.

  1. Data / File assessment – Effective storage/accessibility of data, as well as files, play an important role in avoiding the security breach.

      Step  1. Determining what data is stored as well as its sensitivity.

      Step 2.  Determining which all users have access to data (especially sensitive data).

      Step 3.  Finding out files without exact ownership (missing owner or a related group).

  1. Log files assessment – Log files show details of what has occurred and it can play an important role in auditing. First of all, log files should be properly stored, protected & rotated.

      Step  1. Determine whether all required calls are properly logged. (Especially the main applications dealing with

users and data).

      Step  2.  Check syslog configuration to know whether remote logging is used. (Remote logging can protect log files

from alteration – malicious people from inside or outside adjusting logs to hide their traces.).

  1. Malware assessment – Yet uncommon, malware can be present in Linux systems (like backdoors, malicious scripts & root kits).

      Step  1.  Detect malware like backdoors, malicious scripts, rootkits, etc. which are found more in Linux systems. Use

scanners like ClamAV, RootKit Hunter, or a Commercial Virus Scanner.


The above assessments are done in manual auditing. But, manual auditing can be time-consuming as well as there is a risk of missing important details in it. Automated auditing is very much useful in overcoming these risks in manual auditing. Some of the Linux audit automation tools are Lynis, LSAT, Wireshark, NMAP, Intrusion detection tools (like Nessus, Snort, SPIKE, Metaspoilt, NIKTO, Ollybdg debugger) and Linux based security distros (like Backtrack Linux, Matriux, Remnux).

In today’s IT-driven world, security is on high priority. This makes it very important to take care of things like – who all access our information systems, under what circumstances and for how long a data should be available – can be easily made available through the process of auditing.

May 2018