SOC 2 Compliance for Linux Infrastructure

SOC 2 compliance requires implementing trust service criteria—security, availability, processing integrity, confidentiality, and privacy—on your Linux infrastructure. This guide covers the practical controls, logging requirements, access management, and evidence collection processes needed to pass a SOC 2 audit on Linux servers.

Prerequisites

  • Linux server (Ubuntu 20.04+ or CentOS/Rocky 8+) with root access
  • Understanding of your organization's SOC 2 audit scope
  • A designated security or compliance contact
  • Basic familiarity with auditd, rsyslog, and SSH configuration

Understanding SOC 2 Trust Service Criteria

SOC 2 audits evaluate controls across five trust service criteria (TSC). Most companies pursue Type II audits covering at minimum the Security (CC) category.

Key criteria relevant to Linux servers:

  • CC6 – Logical and physical access controls
  • CC7 – System operations (monitoring, incident response)
  • CC8 – Change management
  • A1 – Availability (uptime, capacity, backups)

Access Control Implementation

Restrict access to production servers. Every user must have an individual account—no shared credentials.

# Create individual user accounts
sudo useradd -m -s /bin/bash alice
sudo passwd alice

# Add to sudo group (Ubuntu)
sudo usermod -aG sudo alice

# Lock the root account from direct SSH login
sudo passwd -l root

Configure SSH to enforce key-based authentication only:

sudo nano /etc/ssh/sshd_config

Required settings:

PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
LoginGraceTime 30
AllowGroups sshusers

# Restart SSH
sudo systemctl restart sshd

# Create SSH users group and add members
sudo groupadd sshusers
sudo usermod -aG sshusers alice

Configure sudoers with least privilege:

sudo visudo -f /etc/sudoers.d/compliance

# Example: allow alice to run specific commands only
alice ALL=(ALL) NOPASSWD: /usr/bin/systemctl status *
alice ALL=(ALL) PASSWD: /usr/bin/apt

Audit Logging and Monitoring

SOC 2 requires comprehensive audit logs. Use auditd to capture privileged actions.

# Install auditd
sudo apt install auditd audispd-plugins   # Ubuntu
sudo dnf install audit                    # CentOS/Rocky

sudo systemctl enable --now auditd

Configure audit rules for SOC 2 requirements:

sudo nano /etc/audit/rules.d/soc2.rules

# Log authentication events
-w /var/log/auth.log -p wa -k auth_log
-w /etc/passwd -p wa -k user_modification
-w /etc/shadow -p wa -k password_modification
-w /etc/group -p wa -k group_modification
-w /etc/sudoers -p wa -k sudoers_modification

# Log privileged commands
-a always,exit -F arch=b64 -S execve -F euid=0 -k root_commands

# Log SSH keys
-w /home -p wa -k ssh_keys

# Log cron changes
-w /etc/cron.d -p wa -k cron_modification
-w /var/spool/cron -p wa -k cron_modification

# Log network configuration changes
-w /etc/network -p wa -k network_modification
-w /etc/hosts -p wa -k hosts_modification

# Load the rules
sudo augenrules --load
sudo systemctl restart auditd

# Verify rules are active
sudo auditctl -l

Forward logs to a centralized, tamper-resistant log server:

sudo apt install rsyslog
sudo nano /etc/rsyslog.d/50-remote.conf

# Forward all logs to SIEM
*.* @@logs.internal.example.com:514

sudo systemctl restart rsyslog

Encryption Controls

Encrypt data at rest and in transit.

# Enable disk encryption status check
sudo dmsetup status

# Verify LUKS encryption on data volumes
sudo cryptsetup status /dev/mapper/data

# Check TLS for services
openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates

Enforce TLS for internal services. Example for Nginx:

server {
    listen 443 ssl;
    ssl_certificate /etc/ssl/certs/server.crt;
    ssl_certificate_key /etc/ssl/private/server.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
}

Change Management

All changes to production must be tracked. Implement a formal change process:

# Log all package installations with timestamps
sudo apt install apt-listchanges

# Enable dpkg logging (Ubuntu)
sudo nano /etc/apt/apt.conf.d/99soc2-logging

DPkg::Log "/var/log/dpkg-soc2.log";

# Tag all system changes with a ticket reference in the shell history
export HISTTIMEFORMAT="%F %T "
echo 'export HISTTIMEFORMAT="%F %T "' >> /etc/bash.bashrc

# Record session activity for audit trail
sudo apt install script
# Wrap SSH sessions with logging via /etc/profile.d/
sudo nano /etc/profile.d/audit-session.sh

#!/bin/bash
if [ -n "$SSH_TTY" ]; then
    LOG_DIR="/var/log/sessions"
    mkdir -p "$LOG_DIR"
    LOGFILE="$LOG_DIR/$(date +%Y%m%d_%H%M%S)_$(whoami)_$$.log"
    script -q -a "$LOGFILE"
fi

Vulnerability Management

Maintain a regular patching schedule and document it for auditors.

# Ubuntu: automated security updates
sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

# Check for available security updates
sudo apt list --upgradable 2>/dev/null | grep -i security

# CentOS/Rocky: security updates only
sudo dnf update --security

# Run a vulnerability scan with Lynis (compliance auditing tool)
sudo apt install lynis
sudo lynis audit system --report-file /var/log/lynis-report.dat

Evidence Collection

Auditors will request evidence of controls. Automate evidence gathering:

#!/bin/bash
# /usr/local/bin/collect-soc2-evidence.sh
EVIDENCE_DIR="/var/log/soc2-evidence/$(date +%Y-%m)"
mkdir -p "$EVIDENCE_DIR"

# User accounts and groups
cat /etc/passwd > "$EVIDENCE_DIR/users.txt"
cat /etc/group > "$EVIDENCE_DIR/groups.txt"
sudo cat /etc/sudoers.d/* > "$EVIDENCE_DIR/sudoers.txt" 2>/dev/null

# SSH configuration
cp /etc/ssh/sshd_config "$EVIDENCE_DIR/sshd_config.txt"

# Active login sessions
who > "$EVIDENCE_DIR/active_sessions.txt"
last -n 100 > "$EVIDENCE_DIR/recent_logins.txt"

# Failed login attempts
sudo grep "Failed password" /var/log/auth.log | tail -100 > "$EVIDENCE_DIR/failed_logins.txt"

# Installed packages
dpkg -l > "$EVIDENCE_DIR/installed_packages.txt" 2>/dev/null || rpm -qa > "$EVIDENCE_DIR/installed_packages.txt"

# Running services
systemctl list-units --state=running > "$EVIDENCE_DIR/running_services.txt"

# Open ports
ss -tlnp > "$EVIDENCE_DIR/open_ports.txt"

# Firewall rules
sudo iptables -L -n > "$EVIDENCE_DIR/firewall_rules.txt"

echo "Evidence collected to $EVIDENCE_DIR"

sudo chmod +x /usr/local/bin/collect-soc2-evidence.sh

# Schedule monthly evidence collection
sudo crontab -e
# Add: 0 2 1 * * /usr/local/bin/collect-soc2-evidence.sh

Troubleshooting

Auditd not capturing events:

sudo auditctl -s            # Check auditd status
sudo ausearch -k auth_log   # Search for specific key
sudo aureport --summary     # View audit summary report

Logs not reaching centralized server:

# Test rsyslog connectivity
logger -n logs.internal.example.com -P 514 "SOC2 test message"
sudo tail -f /var/log/syslog | grep rsyslog

SSH config rejecting users after hardening:

# Verify user is in allowed group
groups alice
# Check SSH auth log
sudo tail -50 /var/log/auth.log | grep ssh

Lynis score below acceptable threshold:

  • Review suggestions in /var/log/lynis.log
  • Prioritize hardening index (HI) items marked [WARNING]
  • Re-run after each remediation: sudo lynis audit system

Conclusion

SOC 2 compliance on Linux requires consistent implementation of access controls, comprehensive audit logging, encrypted communications, and a documented change management process. Run the evidence collection script monthly, review Lynis reports quarterly, and maintain logs for at least 12 months to satisfy auditor requirements. With these controls in place, your Linux infrastructure will be well-positioned to pass a SOC 2 Type II audit.