Linux Server Security Audit Checklist
Run through this checklist monthly to maintain a secure server.
System Updates
- [ ] Run
apt update && apt upgrade -y(ordnf update -y) - [ ] Check for kernel updates:
uname -rvs. latest available - [ ] Reboot if a new kernel was installed
Authentication and Access
- [ ] Review
/var/log/auth.logfor unexpected successful logins:grep "Accepted" /var/log/auth.log | tail -30 - [ ] Check for unexpected users:
cat /etc/passwd | grep -v nologin | grep -v false - [ ] Verify no unknown SSH authorized keys:
cat ~/.ssh/authorized_keys - [ ] Check Fail2Ban is running:
systemctl status fail2ban
Firewall and Services
- [ ] Review open ports:
ss -tulpn - [ ] Check UFW rules:
ufw status verbose - [ ] Disable any services you no longer need
Cron Jobs
- [ ] Review root crontab:
crontab -l - [ ] Check system cron:
ls /etc/cron.d/ && cat /etc/crontab - [ ] Look for unexpected cron jobs
Disk and Logs
- [ ] Check disk usage:
df -h— alert if any partition >85% - [ ] Verify backups ran: check backup log or manually verify backup files
- [ ] Review error logs:
journalctl -p err --since "7 days ago"
SSL Certificates
- [ ] Check expiry:
certbot certificates - [ ] Test renewal:
certbot renew --dry-run
Rootkit Scan
- [ ] Run rkhunter:
rkhunter --check --skip-keypress
