Analyzing Linux Audit Logs for Intrusion

What Is This

The skill "Analyzing Linux Audit Logs for Intrusion" focuses on leveraging the Linux Audit framework (auditd) alongside tools like ausearch and aureport to detect and investigate signs of intrusion on Linux systems. By recording detailed security-relevant events at the kernel level, auditd enables defenders to monitor system calls, track file and process activity, and reconstruct timelines of potentially malicious actions. This skill covers configuring audit rules, querying and summarizing logs, and interpreting results for incident response and forensics. Integration with Security Information and Event Management (SIEM) platforms is also supported, enabling centralized monitoring and alerting.

Why Use It

Linux hosts are prime targets for attackers seeking unauthorized access, privilege escalation, or persistence. While traditional log files (such as /var/log/auth.log) capture some activities, they often lack the granularity required for deep forensic investigation. The Linux Audit framework provides kernel-level visibility into system events, making it possible to:

• Detect unauthorized access attempts and privilege escalation
• Identify tampering with critical files like /etc/shadow or SSH keys
• Audit compliance with security frameworks (CIS, STIG, PCI-DSS)
• Reconstruct detailed timelines of user and process activity

Using auditd and its utilities, defenders can go beyond superficial log review and obtain actionable evidence for incident response, root cause analysis, and reporting.

How to Use It

1. Installing and Enabling

Auditd

Most Linux distributions provide auditd via package repositories:

sudo apt-get install auditd audispd-plugins   # Debian/Ubuntu
sudo yum install audit                         # RHEL/CentOS

Start and enable the audit daemon:

sudo systemctl start auditd
sudo systemctl enable auditd

2. Configuring Audit

Rules

Audit rules specify which events to log. Rules can be defined in /etc/audit/audit.rules or /etc/audit/rules.d/. For intrusion detection, consider rules such as:

• Monitoring authentication files for unauthorized modification:

  bash

  -w /etc/passwd -p wa -k identity
  -w /etc/shadow -p wa -k identity

• Tracking execution of privileged commands:

  bash

  -a always,exit -F arch=b64 -S execve -F euid=0 -k rootcmd

• Logging changes to user accounts:

  bash

  -w /etc/sudoers -p wa -k sudoers

After updating rules, reload them:

sudo augenrules --load

3. Querying Audit

Logs with ausearch

Use ausearch to extract relevant events:

• Find all events related to a specific file:

  bash

  ausearch -f /etc/shadow

• Search for suspicious commands executed as root:

  bash

  ausearch -k rootcmd

• Filter by time window:

  bash

  ausearch -ts 08:00:00 -te 12:00:00

• Search for failed authentication attempts:

  bash

  ausearch -m USER_LOGIN -sv no

4. Summarizing

Events with aureport

aureport provides high-level summaries:

• Login activity:

  bash

  aureport -l

• File access reports:

  bash

  aureport -f

• Authentication summary:

  bash

  aureport -au

• Detect anomalies by comparing recent activity with historical baselines.

5. Timeline

Reconstruction

Audit logs include timestamps, process IDs, and user IDs, enabling defenders to reconstruct attacker actions over time. For example, after detecting a suspicious login, you can:

1. Search for the session ID:

   bash

   ausearch -ua <user_id> -ts <start_time>

2. Trace process execution and file modifications during that session.

3. Correlate events to build a comprehensive incident timeline.

6. Integration with

SIEM

Audit logs can be forwarded to SIEM platforms (such as Splunk, ELK, or Graylog) for centralized alerting and correlation. Use the audisp-remote plugin or syslog forwarding to ship logs securely for real-time analysis.

When to Use It

• Investigating suspected unauthorized access or privilege escalation on Linux hosts
• Hunting for evidence of exploitation, malware persistence, or backdoor installation
• Auditing compliance with security standards that require system call monitoring
• Reconstructing a timeline of attacker actions during incident response
• Detecting tampering with critical system files or security settings

This skill is appropriate for host-based intrusion detection and forensic analysis, not for network-level monitoring.

Important Notes

• Auditd can introduce performance overhead on busy systems; tune rules to focus on high-value targets and reduce noise.
• Ensure audit logs are protected from tampering and have appropriate retention policies for compliance and forensics.
• Regularly review and update audit rules to address evolving threats and organizational requirements.
• Audit log analysis requires root or equivalent privileges; restrict access to prevent insider threats.
• For large environments, consider automating log analysis and integrating with SIEM to scale detection capabilities.
• Auditd is not a replacement for other security controls such as SELinux or AppArmor; use in conjunction for defense in depth.

By mastering the analysis of Linux Audit logs using auditd, ausearch, and aureport, security teams can significantly enhance their detection and response capabilities for Linux-based infrastructure.