analyzing-linux-audit-logs-for-intrusion

Solid

Uses the Linux Audit framework (auditd) with ausearch and aureport utilities to detect intrusion attempts, unauthorized access, privilege escalation, and suspicious system activity. Covers audit rule configuration, log querying, timeline reconstruction, and integration with SIEM platforms. Activates for requests involving auditd analysis, Linux audit log investigation, ausearch queries, aureport summaries, or host-based intrusion detection on Linux.

AI & Automation 38 stars 5 forks Updated yesterday MIT

Install

View on GitHub

Quality Score: 89/100

Stars 20%
53
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
80
License 10%
100
Description 5%
100

Skill Content

# Analyzing Linux Audit Logs for Intrusion ## When to Use - Investigating suspected unauthorized access or privilege escalation on Linux hosts - Hunting for evidence of exploitation, backdoor installation, or persistence mechanisms - Auditing compliance with security baselines (CIS, STIG, PCI-DSS) that require system call monitoring - Reconstructing a timeline of attacker actions during incident response - Detecting file tampering on critical system files such as `/etc/passwd`, `/etc/shadow`, or SSH keys **Do not use** for network-level intrusion detection; use Suricata or Zeek for network traffic analysis. Auditd operates at the kernel level on individual hosts. ## Prerequisites - Linux system with `auditd` package installed and the audit daemon running (`systemctl status auditd`) - Root or sudo access to configure audit rules and query logs - Audit rules deployed via `/etc/audit/rules.d/*.rules` or loaded with `auditctl` - Recommended: Neo23x0/auditd ruleset from GitHub for comprehensive baseline coverage - Familiarity with Linux syscalls (`execve`, `open`, `connect`, `ptrace`, etc.) - Log storage with sufficient retention (default location: `/var/log/audit/audit.log`) ## Workflow ### Step 1: Verify Audit Daemon Status and Configuration Confirm the audit system is running and check the current rule set: ```bash # Check auditd service status systemctl status auditd # Show current audit rules loaded in the kernel auditctl -l # Show audit daemon configuration cat /e...

Details

Author
adriannoes
Repository
adriannoes/awesome-vibe-coding
Created
8 months ago
Last Updated
yesterday
Language
Jupyter Notebook
License
MIT

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

analyzing-linux-audit-logs-for-intrusion

Uses the Linux Audit framework (auditd) with ausearch and aureport utilities to detect intrusion attempts, unauthorized access, privilege escalation, and suspicious system activity. Covers audit rule configuration, log querying, timeline reconstruction, and integration with SIEM platforms. Activates for requests involving auditd analysis, Linux audit log investigation, ausearch queries, aureport summaries, or host-based intrusion detection on Linux.

15,448 Updated 1 weeks ago
mukul975
DevOps & Infrastructure Listed

analyzing-linux-audit-logs-for-intrusion

Uses the Linux Audit framework (auditd) with ausearch and aureport utilities to detect intrusion attempts, unauthorized access, privilege escalation, and suspicious system activity. Covers audit rule configuration, log querying, timeline reconstruction, and integration with SIEM platforms. Activates for requests involving auditd analysis, Linux audit log investigation, ausearch queries, aureport summaries, or host-based intrusion detection on Linux.

11 Updated yesterday
26zl
AI & Automation Solid

analyzing-persistence-mechanisms-in-linux

Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD hijacking, bashrc modifications, and authorized_keys backdoors using auditd and file integrity monitoring

38 Updated yesterday
adriannoes