analyzing-linux-audit-logs-for-intrusion

Installation
SKILL.md

Analyzing Linux Audit Logs for Intrusion

When to Use

  • Investigating suspected unauthorized access or privilege escalation on Linux hosts
  • Hunting for evidence of exploitation, backdoor installation, or persistence mechanisms
  • Auditing compliance with security baselines (CIS, STIG, PCI-DSS) that require system call monitoring
  • Reconstructing a timeline of attacker actions during incident response
  • Detecting file tampering on critical system files such as /etc/passwd, /etc/shadow, or SSH keys

Do not use for network-level intrusion detection; use Suricata or Zeek for network traffic analysis. Auditd operates at the kernel level on individual hosts.

Prerequisites

Installs
302
GitHub Stars
24.8K
First Seen
Mar 15, 2026
analyzing-linux-audit-logs-for-intrusion — mukul975/anthropic-cybersecurity-skills