analyzing-linux-audit-logs-for-intrusionlisted

# Analyzing Linux Audit Logs for Intrusion ## When to Use - Investigating suspected unauthorized access or privilege escalation on Linux hosts - Hunting for evidence of exploitation, backdoor installation, or persistence mechanisms - Auditing compliance with security baselines (CIS, STIG, PCI-DSS) that require system call monitoring - Reconstructing a timeline of attacker actions during incident response - Detecting file tampering on critical system files such as `/etc/passwd`, `/etc/shadow`, or SSH keys **Do not use** for network-level intrusion detection; use Suricata or Zeek for network traffic analysis. Auditd operates at the kernel level on individual hosts. ## Prerequisites - Linux system with `auditd` package installed and the audit daemon running (`systemctl status auditd`) - Root or sudo access to configure audit rules and query logs - Audit rules deployed via `/etc/audit/rules.d/*.rules` or loaded with `auditctl` - Recommended: Neo23x0/auditd ruleset from GitHub for comprehensive baseline coverage - Familiarity with Linux syscalls (`execve`, `open`, `connect`, `ptrace`, etc.) - Log storage with sufficient retention (default location: `/var/log/audit/audit.log`) ## Workflow ### Step 1: Verify Audit Daemon Status and Configuration Confirm the audit system is running and check the current rule set: ```bash # Check auditd service status systemctl status auditd # Show current audit rules loaded in the kernel auditctl -l # Show audit daemon configuration cat /e