September 3, 2007

Linux Audit Checklist

This checklist is to be used to audit a Linux environment. This checklist attempts to provide a generic set of controls to consider when auditing a Linux environment. It does not account for the differences between the different Linux distributions on the market (e.g. Red Hat, Caldera, Mandrake, etc.).

A listing of how to audit technical security controls is provided and no consideration is given to other control elements like physical access, security policy, etc. The omission of other controls does not mean that they lack importance. They are of equal importance however, they are deemed to be outside the scope of this checklist.

Some of the elements to consider prior to using this checklist:

Utilities: While every attempt has been made to include the security implications of using various utilities, it is not possible to list all of them and their security implications in this checklist. Thus, the auditor should ascertain what utilities are being used on the intended Linux server to be reviewed and determine their security implications. A good source to ascertain security implications of using certain utilities is to review the website of the vendor supplying the utility, whether it be freeware, shareware, or commercial products. Another source is the supporting documentation that accompanies the utilities.
Practicality of the checklist: This checklist lists controls to be checked for a very secure configuration. These may not be appropriate for all Linux servers in an organization due to the risk assigned to particular data and applications. Also, some of the controls may be cost prohibitive to implement and management may have during the accreditation process decided to accept the risk of not being totally secure. The cost may relate to monetary and non-monetary elements. Non-monetary elements include items such as response times and availability.
Interoperability with other products: This checklist does not provide the security issues to be considered when another system performs certain operations (e.g. Windows NT providing the network authentication service). However, it is quite important that the auditor take this into consideration as certain systems coupled with a Linux server may introduce new vulnerabilities e.g. Netware is unsecure when mounting file systems. Also, this may aid the auditor in tailoring the checklist to suit the organizations environment (e.g. more focus on the Samba server/SMB and less attention to Linux authentication if NT provides the network authentication service).
Mitigating controls: The auditor needs to be aware of other controls provided by applications or databases. It may be that a weakness identified in the operating system is mitigated by a strong control found in the application or the database e.g. weak access control for the Linux operating system may be mitigated by very granular access control for the application.
Significance of findings: To produce a good report that will receive management attention the auditor needs to perform a mini risk analysis. The risk analysis would ascertain if the finding is so significant as to affect the organization adversely. The first step in the risk analysis is to determine how sensitive the data stored on the server is and how critical the server is in the business operations. The second step is to determine how the finding would affect the organization’s ability to maintain confidentiality, integrity and availability. Once this has been done, a report indicating the priority and the potential effect on the organization if the weakness is not corrected in a timely manner needs to be issued to management.
Applications and Database interfaces with Linux: A further consideration is the security provided for application and database files by the Linux server. The auditor needs to ascertain what applications and databases are loaded on the Linux server and ascertain the appropriateness of the permissions assigned to these files. This would also apply to sensitive data files.

An important consideration prior to auditing a Linux server is to determine the Linux server’s function in the organization. This is paramount to determining how the checklist below may be tailored. Since it is outside the scope of this checklist to list the security considerations in all the different functional instances that a Linux server may be used (e.g. as an HTTP server); it is important for the auditor to determine the security elements to be considered for a function as well as the associated applications that may be run for a specific function (e.g. running Apache on an HTTP server).

Download the entire checklist:

(6 pages, 74 KB)

SIGN UP FOR A 30-DAY FREE TRIAL

We invite you to use the tools and resources within KnowledgeLeader for free for 30 days so you can discover for yourself how this service will improve your internal audit and risk management capabilities.

Your free trial will expire automatically. There is no obligation to purchase a subscription.

Audit Committee & Board

Business Continuity Management

Control Self Assessment

Corporate Governance

COSO

Enterprise Risk Management

Fraud & Ethics

IFRS

Internal Audit

IT Audit

IT Governance

Sarbanes-Oxley

All Topics

Work Programs

Audit Reports

Charters

Checklists & Questionnaires

Guides

Job Descriptions

Methodologies & Models

Policies & Procedures

Process Flows

Samples

All Tools

Linux Audit Checklist

SIGN UP FOR A 30-DAY FREE TRIAL

LEARN MORE

Prices and Ordering

KnowledgeLeader Value Proposition

KnowledgeLeader Content

About KLplus

Take a Tour

What Our Customers Say

KnowledgeLeader University Program

About Protiviti

	Access Agreement \| Privacy Policy	Join Our Community:
	© 2012 Protiviti Inc. EOE All Rights Reserved