Security Auditing

Security Auditing

Security auditing is the process of systematically verifying that your security controls are in place and effective. On Ubuntu servers, auditing covers three areas: configuration auditing (are security settings correct?), activity auditing (who did what?), and integrity auditing (have files been modified unexpectedly?). Regular auditing helps you detect security issues before they become incidents and provides evidence for compliance requirements.

What security auditing covers

Manual audit checklist

# 1. Privileged accounts
getent passwd | awk -F: '$3 == 0 {print $1}'  # Users with UID 0 (should only be root)
getent group sudo    # Who has sudo access?

# 2. SUID/SGID files (potential privilege escalation)
find / -perm /6000 -type f 2>/dev/null | grep -v proc

# 3. World-writable files in system directories
find /etc /bin /sbin /usr -perm -002 -type f 2>/dev/null

# 4. Empty passwords
sudo awk -F: '($2 == "" ) {print $1}' /etc/shadow

# 5. Recently modified files in critical locations
find /etc /bin /sbin /usr/bin -mtime -7 -type f 2>/dev/null

# 6. Unauthorized cron jobs
crontab -l    # Current user
sudo crontab -l    # root
ls /etc/cron.d/ /etc/cron.daily/ /etc/cron.weekly/

Linux audit daemon (auditd)

sudo apt install -y auditd

# Add audit rules (examples):
# Watch /etc/passwd for changes
sudo auditctl -w /etc/passwd -p wa -k passwd_changes

# Audit all sudo command executions
sudo auditctl -a always,exit -F arch=b64 -S execve -F uid=0 -k root_commands

# Persist rules across reboots: /etc/audit/rules.d/audit.rules
sudo nano /etc/audit/rules.d/audit.rules

/etc/audit/rules.d/audit.rules — minimal configuration

-w /etc/passwd -p wa -k passwd_changes
-w /etc/shadow -p wa -k shadow_changes
-w /etc/ssh/sshd_config -p wa -k sshd_config
-w /var/log/auth.log -p r -k auth_log_read
-a always,exit -F arch=b64 -S execve -F euid=0 -k root_exec

sudo systemctl enable --now auditd

# Search audit logs
sudo ausearch -k passwd_changes    # Find events tagged passwd_changes
sudo ausearch -k root_exec --start today  # Root command execution today
sudo aureport --summary    # Activity summary

File integrity monitoring with aide

sudo apt install -y aide

# Initialize the database (baseline snapshot)
sudo aideinit
# Creates /var/lib/aide/aide.db.new — rename to .db:
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

# Run a check (compare current state to baseline)
sudo aide --check

aide check output when a file changed

File: /etc/ssh/sshd_config
 Mtime    : 2026-06-05 09:00:00        | 2026-06-09 14:30:05
 SHA256   : abc123...                  | xyz789...
# → sshd_config was modified — expected if you made changes, suspicious otherwise

# Update baseline after intentional changes
sudo aideinit    # Reinitialize
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

# Add aide check to cron for daily integrity reports
echo "0 3 * * * root /usr/bin/aide --check | mail -s 'AIDE Report' irfan@company.com" | sudo tee /etc/cron.d/aide

Regular audit practices

# Weekly: check for unauthorized user accounts
getent passwd | awk -F: '$7 !~ /nologin|false/ {print $1}'

# Monthly: review sudo logs
sudo grep "sudo:" /var/log/auth.log | grep -v "session" | tail -50

# After changes: run Lynis
sudo lynis audit system 2>/dev/null | grep "WARNING\|SUGGESTION"

# Check package integrity
sudo debsums -c    # Check file checksums against installed packages

Conclusion

Security auditing is an ongoing process, not a one-time task. Automate what you can: aide for file integrity (daily cron), auditd for activity logging, and Lynis for periodic configuration assessment. Review audit logs regularly — the value of logging is zero if you never look at the output. Focus on changes: unauthorized new user accounts, unexpected SUID files, recently modified system config files, and sudo activity are the key indicators to monitor.