Essential Linux Security Audit Checklist: 11 Steps to Detect Compromise

1. Verify Privileged and Empty‑Password Accounts

Inspect the system’s password and shadow files to identify accounts with UID 0 or without a password:

# less /etc/passwd
# grep ':0:' /etc/passwd            # users with UID or GID 0
# ls -l /etc/passwd                 # check modification time of the file
# awk -F: '$3==0 {print $1}' /etc/passwd   # list privileged usernames
# awk -F: 'length($2)==0 {print $1}' /etc/shadow   # list accounts that have an empty password field

2. Review Authentication Logs

Show recent login sessions and look for abnormal entries such as “entered promiscuous mode”, unusual error strings, or RPC logs containing long sequences of non‑ASCII characters (e.g., more than 20 strange symbols):

# last

3. Examine Running Processes

List all processes, highlight those owned by root, and inspect the files or network sockets opened by a specific PID:

# ps -aux                         # full process list; note any UID 0 entries
# lsof -p PID                     # list open files and ports for the given PID
# cat /etc/inetd.conf | grep -v "^#"   # enabled inetd services

Detect hidden or duplicated processes by comparing the PID list from ps with the entries present in /proc:

# ps -ef | awk '{print $2}' | sort -n | uniq -c | sort -n | uniq -d > /tmp/ps_pids
# ls /proc | sort -n | uniq -c > /tmp/proc_pids
# diff /tmp/ps_pids /tmp/proc_pids

4. Scan the Filesystem for Suspicious Objects

Search for set‑UID binaries, unusually large files, files with problematic names, and core dump files:

# find / -uid 0 -perm -4000 -print               # SUID files owned by root
# find / -size +10000k -print                     # files larger than 10 MiB
# find / -name "* *" -print                       # names containing spaces
# find / -name ".." -print
# find / -name "." -print
# find / -name "core" -exec ls -l {} \;

Validate the integrity of critical binaries using the RPM database and MD5 checksums:

# rpm -qf /bin/ls
# rpm -qf /bin/login
# md5sum -b FILE
# md5sum -t FILE

5. Verify RPM Package Consistency

Run a full verification of all installed RPM packages. The output consists of a nine‑character flag where each position indicates a specific type of mismatch:

# rpm -Va

Flag legend:

S – file size differs

M – mode (permissions) differs

5 – MD5 checksum differs

D – device number mismatch

L – read‑link path mismatch

U – user ownership differs

G – group ownership differs

T – modification time differs

Pay special attention to binaries under /sbin, /bin, /usr/sbin, and /usr/bin.

6. Inspect Network Interfaces and Connections

Detect network interfaces that have been placed in promiscuous mode (a common sign of packet sniffers) and list all open network sockets:

# ip link | grep PROMISC          # interfaces should not be in PROMISC mode
# lsof -i                         # open network files
# netstat -nap                    # listening TCP/UDP ports with associated processes
# arp -a                          # ARP table entries

7. Review Scheduled Tasks

Enumerate cron jobs for the root user and system‑wide cron directories:

# crontab -u root -l
# cat /etc/crontab
# ls /etc/cron.*

8. Search for Common Backdoor Locations

Check files and directories that are frequently used to hide backdoors, especially those with set‑UID permissions:

# cat /etc/crontab
# ls /var/spool/cron/
# cat /etc/rc.d/rc.local
# ls /etc/rc.d
# ls /etc/rc3.d
# find / -type f -perm -4000 -print   # all SUID files on the system

9. List Loaded Kernel Modules

Show all currently loaded kernel modules, which may include malicious or unexpected modules:

# lsmod

10. Examine System Services

List services that are enabled at boot and display RPC service registrations:

# chkconfig --list
# rpcinfo -p

11. Detect Rootkits

Run widely used rootkit detection tools to identify known signatures and hidden components:

# rkhunter -c
# chkrootkit -q

Executing the above eleven checks provides a systematic baseline for detecting a compromised Linux host and helps security teams prioritize remediation steps.