Analyzing Linux Audit Logs for Intrusion

When to Use

Investigating suspected unauthorized access or privilege escalation on Linux hosts
Hunting for evidence of exploitation, backdoor installation, or persistence mechanisms
Auditing compliance with security baselines (CIS, STIG, PCI-DSS) that require system call monitoring
Reconstructing a timeline of attacker actions during incident response
Detecting file tampering on critical system files such as /etc/passwd, /etc/shadow, or SSH keys

Do not use for network-level intrusion detection; use Suricata or Zeek for network traffic analysis. Auditd operates at the kernel level on individual hosts.

Prerequisites

Linux system with auditd package installed and the audit daemon running (systemctl status auditd)
Root or sudo access to configure audit rules and query logs
Audit rules deployed via /etc/audit/rules.d/*.rules or loaded with auditctl
Recommended: Neo23x0/auditd ruleset from GitHub for comprehensive baseline coverage
Familiarity with Linux syscalls (execve, open, connect, ptrace, etc.)

analyzing-linux-audit-logs-for-intrusion

Analyzing Linux Audit Logs for Intrusion

When to Use

Prerequisites

More from mukul975/anthropic-cybersecurity-skills

acquiring-disk-image-with-dd-and-dcfldd

analyzing-api-gateway-access-logs

analyzing-android-malware-with-apktool

analyzing-cyber-kill-chain

analyzing-email-headers-for-phishing-investigation

analyzing-active-directory-acl-abuse