System Updates
# Check for available updates
sudo apt update && apt list --upgradable
# Ensure automatic security updates are enabled
dpkg -l | grep unattended-upgrades
# Check last update time
stat /var/cache/apt/pkgcache.binUser Accounts
# List users with login shells
grep -v "nologin\|false" /etc/passwd
# Check for accounts with empty passwords
sudo awk -F: '($2 == "") {print $1}' /etc/shadow
# Check for unauthorized root-level accounts (UID 0)
awk -F: '($3 == 0) {print $1}' /etc/passwd
# Review sudo access
grep -v "^#" /etc/sudoers
ls -la /etc/sudoers.d/SSH Security
# Verify these settings in /etc/ssh/sshd_config
grep -E "^(PermitRootLogin|PasswordAuthentication|PubkeyAuthentication|Port)" /etc/ssh/sshd_configExpected output:
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yesFirewall
# Check if firewall is active
sudo ufw status verbose
# or
sudo iptables -L -n --line-numbers
# or
sudo nft list rulesetListening Services
# Show all listening ports
ss -tlnp
# Check for unexpected listeners
ss -tlnp | grep -v "127.0.0.1\|::1"File Permissions
# Check for world-writable files
find / -perm -0002 -type f 2>/dev/null | grep -v proc
# Check SUID binaries
find / -perm -4000 -type f 2>/dev/null
# Verify SSH key permissions
stat -c "%a %U" ~/.ssh ~/.ssh/authorized_keysLog Review
# Failed login attempts
grep "Failed password" /var/log/auth.log | tail -20
# Successful logins
grep "Accepted" /var/log/auth.log | tail -20
# Check for rootkits
sudo apt install -y rkhunter
sudo rkhunter --checkAutomated Auditing
# Install Lynis for comprehensive auditing
sudo apt install -y lynis
sudo lynis audit systemLynis produces a detailed report with a hardening index score and specific recommendations.