How to Perform a Detailed Security Audit of a Debian System on Debian 12 Bookworm

Security auditing is a vital part of system administration, especially when managing servers or infrastructure exposed to the internet. Debian 12 Bookworm, like its predecessors, provides a stable and secure foundation for production systems. However, security is not just about the operating system—it’s about how you configure, monitor, and maintain it.

In this article, we’ll walk you through a comprehensive step-by-step guide to performing a detailed security audit of a Debian 12 Bookworm system. Whether you’re a system administrator, security analyst, or power user, this guide aims to give you the tools and insights to improve the security posture of your Debian system.

1. Preparation: Understanding the System

Before diving into commands and tools, you should gain an understanding of:

• The system’s role (web server, database server, development environment, etc.)
• Who manages it and how it’s accessed (SSH, GUI, etc.)
• The expected behavior (which services should be running?)

To gather system info:

uname -a
cat /etc/os-release
hostnamectl
uptime

Also, document the network configuration:

ip a
ip r
nmcli device show

2. System Updates and Patch Management

One of the simplest yet most critical steps in system security is ensuring the system is fully up to date.

Check and apply updates

sudo apt update && sudo apt upgrade
sudo apt full-upgrade

Review unattended-upgrades

Debian supports automatic security updates via unattended-upgrades.

Install and configure it:

sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

Verify that /etc/apt/apt.conf.d/50unattended-upgrades is configured to automatically update packages from security repositories.

3. User Account and Authentication Audit

List all users

cut -d: -f1 /etc/passwd

Check for UID 0 (root access)

awk -F: '$3 == 0 { print $1 }' /etc/passwd

Only the root account should have UID 0. Remove or disable any others.

Review login access

sudo lastlog

Disable unused accounts:

sudo usermod -L username

Review sudo permissions

sudo cat /etc/sudoers
sudo ls /etc/sudoers.d/

Ensure only trusted users have administrative rights.

4. Filesystem and Permission Audit

World-writable files

sudo find / -xdev -type f -perm -0002

SUID/SGID files

sudo find / -xdev -type f \( -perm -4000 -o -perm -2000 \) -ls

Review whether each is necessary. Misconfigured SUID binaries are common attack vectors.

Check for unauthorized cron jobs

ls /etc/cron.*
crontab -l

5. Service and Network Port Audit

List all active services

sudo systemctl list-units --type=service --state=running

List listening ports

sudo ss -tuln

Identify unexpected open ports. If a service doesn’t need to be listening on the network, disable it.

6. Firewall and Network Configuration

Use ufw (Uncomplicated Firewall) or iptables/nftables to manage firewall rules.

Enable and configure UFW

sudo apt install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow OpenSSH
sudo ufw enable

Review firewall rules

sudo ufw status verbose

Alternatively, for nftables:

sudo nft list ruleset

Check /etc/nftables.conf for persistent rules.

7. Log Auditing and Log Management

Debian 12 uses journald by default. Review logs for anomalies:

journalctl -p err -b

Review login attempts

journalctl _COMM=sshd

Use logwatch

Install and run a summary of logs:

sudo apt install logwatch
sudo logwatch --detail High --mailto your@email.com --range today --service all

For longer-term monitoring, integrate with a central log server or use tools like Graylog, ELK, or Prometheus with exporters.

8. Installed Software and Package Audit

List installed packages

dpkg-query -W

Identify outdated or unsupported packages

apt list --upgradable

Check for orphaned packages

sudo apt autoremove

Audit packages from unofficial sources

cat /etc/apt/sources.list
ls /etc/apt/sources.list.d/

Avoid trusting third-party repositories unless absolutely necessary.

9. Intrusion Detection and Rootkit Checking

Install and run chkrootkit

sudo apt install chkrootkit
sudo chkrootkit

Install and configure rkhunter

sudo apt install rkhunter
sudo rkhunter --update
sudo rkhunter --check

Use AIDE (Advanced Intrusion Detection Environment) for file integrity checking

sudo apt install aide
sudo aideinit
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
sudo aide --check

Set up periodic checks with cron and alerts via email.

10. Automating and Scheduling Audits

Security auditing is not a one-time event. Schedule regular scans and log reviews.

Cron jobs for audits

Edit crontab:

sudo crontab -e

Example: weekly AIDE and rkhunter check:

0 3 * * 0 /usr/bin/rkhunter --check --sk
0 4 * * 0 /usr/bin/aide --check

Consider using Lynis for automated security auditing

sudo apt install lynis
sudo lynis audit system

Lynis provides detailed advice and hardening suggestions tailored to your system.

11. Conclusion

Performing a security audit on a Debian 12 Bookworm system is a critical step in ensuring the confidentiality, integrity, and availability of your services. By regularly checking for vulnerabilities, managing users and services, reviewing logs, and applying updates, you can drastically reduce the risk of compromise.

Here’s a quick summary of the tools and areas covered:

While this guide provides a strong foundation, remember that security is an evolving challenge. Stay updated with Debian security advisories, follow best practices, and adapt your auditing routines to the evolving threat landscape.

If you’re managing multiple Debian systems, consider automating security audits using tools like Ansible, SaltStack, or OSSEC for centralized compliance reporting.