incident response

Analyzing Linux Audit Logs for Intrusion

Uses the Linux Audit framework (auditd) with ausearch and aureport utilities to detect intrusion attempts, unauthorized access, privilege escalation, and suspicious system activity. Covers audit rule configuration, log querying, timeline reconstruction, and integration with SIEM platforms. Activates for requests involving auditd analysis, Linux audit log investigation, ausearch queries, aureport summaries, or host-based intrusion detection on Linux.

auditdaureportausearchforensicshidsintrusion-detectionlinux-security
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

  • Investigating suspected unauthorized access or privilege escalation on Linux hosts
  • Hunting for evidence of exploitation, backdoor installation, or persistence mechanisms
  • Auditing compliance with security baselines (CIS, STIG, PCI-DSS) that require system call monitoring
  • Reconstructing a timeline of attacker actions during incident response
  • Detecting file tampering on critical system files such as /etc/passwd, /etc/shadow, or SSH keys

Do not use for network-level intrusion detection; use Suricata or Zeek for network traffic analysis. Auditd operates at the kernel level on individual hosts.

Prerequisites

  • Linux system with auditd package installed and the audit daemon running (systemctl status auditd)
  • Root or sudo access to configure audit rules and query logs
  • Audit rules deployed via /etc/audit/rules.d/*.rules or loaded with auditctl
  • Recommended: Neo23x0/auditd ruleset from GitHub for comprehensive baseline coverage
  • Familiarity with Linux syscalls (execve, open, connect, ptrace, etc.)
  • Log storage with sufficient retention (default location: /var/log/audit/audit.log)

Workflow

Step 1: Verify Audit Daemon Status and Configuration

Confirm the audit system is running and check the current rule set:

# Check auditd service status
systemctl status auditd
 
# Show current audit rules loaded in the kernel
auditctl -l
 
# Show audit daemon configuration
cat /etc/audit/auditd.conf | grep -E "log_file|max_log_file|num_logs|space_left_action"
 
# Check if the audit backlog is being exceeded (dropped events)
auditctl -s

If the backlog limit is being reached, increase it:

auditctl -b 8192

Step 2: Deploy Intrusion-Focused Audit Rules

Add rules that target common intrusion indicators. Place these in /etc/audit/rules.d/intrusion.rules:

# Monitor credential files for unauthorized reads or modifications
-w /etc/passwd -p wa -k credential_access
-w /etc/shadow -p rwa -k credential_access
-w /etc/gshadow -p rwa -k credential_access
-w /etc/sudoers -p wa -k privilege_escalation
-w /etc/sudoers.d/ -p wa -k privilege_escalation
 
# Monitor SSH configuration and authorized keys
-w /etc/ssh/sshd_config -p wa -k sshd_config_change
-w /root/.ssh/authorized_keys -p wa -k ssh_key_tampering
 
# Monitor user and group management commands
-w /usr/sbin/useradd -p x -k user_management
-w /usr/sbin/usermod -p x -k user_management
-w /usr/sbin/groupadd -p x -k user_management
 
# Detect process injection via ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k process_injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k process_injection
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k process_injection
 
# Monitor execution of programs from unusual directories
-a always,exit -F arch=b64 -S execve -F exe=/tmp -k exec_from_tmp
-a always,exit -F arch=b64 -S execve -F exe=/dev/shm -k exec_from_shm
 
# Detect kernel module loading (rootkit installation)
-a always,exit -F arch=b64 -S init_module -S finit_module -k kernel_module_load
-a always,exit -F arch=b64 -S delete_module -k kernel_module_remove
-w /sbin/insmod -p x -k kernel_module_tool
-w /sbin/modprobe -p x -k kernel_module_tool
 
# Monitor network socket creation for reverse shells
-a always,exit -F arch=b64 -S socket -F a0=2 -k network_socket_created
-a always,exit -F arch=b64 -S connect -F a0=2 -k network_connection
 
# Detect cron job modifications (persistence)
-w /etc/crontab -p wa -k cron_persistence
-w /etc/cron.d/ -p wa -k cron_persistence
-w /var/spool/cron/ -p wa -k cron_persistence
 
# Monitor log deletion or tampering
-w /var/log/ -p wa -k log_tampering

Reload rules after editing:

augenrules --load
auditctl -l | wc -l   # Confirm rule count

Step 3: Search for Intrusion Indicators with ausearch

Use ausearch to query the audit log for specific events:

# Search for all failed login attempts in the last 24 hours
ausearch -m USER_LOGIN --success no -ts recent
 
# Search for commands executed by a specific user
ausearch -ua 1001 -m EXECVE -ts today
 
# Search for all file access events on /etc/shadow
ausearch -f /etc/shadow -ts this-week
 
# Search for privilege escalation via sudo
ausearch -m USER_CMD -ts today
 
# Search for kernel module loading events
ausearch -k kernel_module_load -ts this-month
 
# Search for processes executed from /tmp (common attack staging)
ausearch -k exec_from_tmp -ts this-week
 
# Search for SSH key modifications
ausearch -k ssh_key_tampering -ts this-month
 
# Search for a specific event by audit event ID
ausearch -a 12345
 
# Search events in a specific time range
ausearch -ts 03/15/2026 08:00:00 -te 03/15/2026 18:00:00
 
# Interpret syscall numbers and format output readably
ausearch -k credential_access -i -ts today

Step 4: Generate Summary Reports with aureport

Use aureport to produce aggregate summaries for triage:

# Summary of all authentication events
aureport -au -ts this-week --summary
 
# Report of all failed events (login, access, etc.)
aureport --failed --summary -ts today
 
# Report of executable runs
aureport -x --summary -ts today
 
# Report of all anomaly events (segfaults, promiscuous mode, etc.)
aureport --anomaly -ts this-week
 
# Report of file access events
aureport -f --summary -ts today
 
# Report of all events by key (maps to your custom rule keys)
aureport -k --summary -ts this-month
 
# Report of all system calls
aureport -s --summary -ts today
 
# Report of events grouped by user
aureport -u --summary -ts this-week
 
# Detailed time-based event report for timeline building
aureport -ts 03/15/2026 08:00:00 -te 03/15/2026 18:00:00 --summary

Step 5: Reconstruct the Attack Timeline

Combine ausearch queries to build a chronological narrative:

# Step 5a: Identify the initial access timestamp
ausearch -m USER_LOGIN -ua 0 --success yes -ts this-week -i | head -50
 
# Step 5b: Trace what the attacker did after gaining access
# Get all events from the compromised account within the incident window
ausearch -ua <UID> -ts "03/15/2026 14:00:00" -te "03/15/2026 18:00:00" -i \
  | aureport -f -i
 
# Step 5c: Extract all commands executed during the incident window
ausearch -m EXECVE -ts "03/15/2026 14:00:00" -te "03/15/2026 18:00:00" -i
 
# Step 5d: Check for persistence mechanisms installed
ausearch -k cron_persistence -ts "03/15/2026 14:00:00" -i
ausearch -k ssh_key_tampering -ts "03/15/2026 14:00:00" -i
 
# Step 5e: Check for lateral movement (outbound connections)
ausearch -k network_connection -ts "03/15/2026 14:00:00" -i

Step 6: Forward Audit Logs to SIEM

Configure audisp-remote or auditbeat to ship logs to a central SIEM for correlation:

# Option A: Using audisp-remote plugin
# Edit /etc/audit/plugins.d/au-remote.conf
active = yes
direction = out
path = /sbin/audisp-remote
type = always
 
# Configure remote target in /etc/audit/audisp-remote.conf
remote_server = siem.internal.corp
port = 6514
transport = tcp
 
# Option B: Using Elastic Auditbeat
# Install auditbeat and configure /etc/auditbeat/auditbeat.yml
# Auditbeat reads directly from the kernel audit framework

Key Concepts

Term Definition
auditd The Linux Audit daemon that receives audit events from the kernel and writes them to /var/log/audit/audit.log
auditctl Command-line utility to control the audit system: add/remove rules, check status, set backlog size
ausearch Query tool that searches audit logs by message type, user, file, key, time range, or event ID
aureport Reporting tool that generates aggregate summaries of audit events for triage and compliance
audit rule key (-k) A user-defined label attached to an audit rule, enabling fast filtering of related events with ausearch and aureport
syscall auditing Kernel-level monitoring of system calls (execve, open, connect, ptrace) that captures process and file activity
augenrules Utility that merges all files in /etc/audit/rules.d/ into /etc/audit/audit.rules and loads them into the kernel

Verification

  • auditd is running and rules are loaded (auditctl -l returns expected rule count)
  • No audit backlog overflow (auditctl -s shows backlog: 0 or low value, lost: 0)
  • ausearch returns events for each custom key (ausearch -k <key> -ts today returns results)
  • aureport generates non-empty summaries for authentication, executable, and file events
  • Timeline reconstruction produces a coherent chronological sequence of attacker actions
  • Critical file watches trigger alerts on test modifications (touch /etc/shadow generates an event)
  • Logs are forwarding to central SIEM (verify with a test event and confirm receipt)
  • Audit rules persist across reboot (rules in /etc/audit/rules.d/, not only via auditctl)
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md1.9 KB

API Reference: Analyzing Linux Audit Logs for Intrusion

Audit Log Location

/var/log/audit/audit.log

ausearch CLI

# Search by key
ausearch -k file_access
 
# Search by message type
ausearch -m EXECVE
 
# Failed events only
ausearch --success no
 
# By user
ausearch -ua 1000
 
# CSV output for Python processing
ausearch --format csv > audit_events.csv
 
# By time range
ausearch --start today --end now
ausearch --start 01/15/2025 00:00:00 --end 01/16/2025 00:00:00

aureport CLI

# Summary report
aureport --summary
 
# Authentication report
aureport -au
 
# Failed events
aureport --failed
 
# Executable report
aureport -x
 
# File access report
aureport -f
 
# Anomaly report
aureport --anomaly

Audit Rules (auditctl)

# Monitor sensitive files
auditctl -w /etc/passwd -p rwxa -k passwd_access
auditctl -w /etc/shadow -p rwxa -k shadow_access
auditctl -w /etc/sudoers -p rwxa -k sudoers_access
 
# Monitor privilege escalation
auditctl -a always,exit -F arch=b64 -S execve -F euid=0 -F uid!=0 -k priv_esc
 
# Monitor module loading
auditctl -a always,exit -F arch=b64 -S init_module -S finit_module -k modules
 
# Monitor network connections
auditctl -a always,exit -F arch=b64 -S connect -k network_connect

Audit Log Fields

Field Description
type Event type (SYSCALL, PATH, EXECVE, USER_CMD)
msg audit(timestamp:event_id)
syscall System call number
uid/euid User ID / Effective UID
comm Command name
exe Executable path
key Audit rule key
success yes/no
name File path (in PATH records)

Suspicious Syscalls

Syscall Concern
execve Program execution
ptrace Process debugging/injection
init_module Kernel rootkit loading
connect Outbound connection
setuid Privilege change
open_by_handle_at Container escape

Scripts 1

agent.py7.9 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Linux audit log analysis agent for intrusion detection.

Parses /var/log/audit/audit.log entries to detect privilege escalation,
unauthorized file access, suspicious syscalls, and process execution anomalies.
"""

import argparse
import json
import re
import sys
import datetime
import collections
import subprocess


SUSPICIOUS_SYSCALLS = {
    "execve": "Program execution",
    "connect": "Network connection",
    "bind": "Port binding",
    "ptrace": "Process tracing/debugging",
    "init_module": "Kernel module loading",
    "finit_module": "Kernel module loading",
    "delete_module": "Kernel module unloading",
    "mount": "Filesystem mount",
    "umount2": "Filesystem unmount",
    "setuid": "UID change",
    "setgid": "GID change",
    "sethostname": "Hostname change",
    "open_by_handle_at": "File open by handle (container escape)",
}

SENSITIVE_PATHS = [
    "/etc/passwd", "/etc/shadow", "/etc/sudoers",
    "/etc/ssh/sshd_config", "/root/.ssh/authorized_keys",
    "/etc/crontab", "/var/spool/cron",
]

SUSPICIOUS_COMMANDS = [
    "curl", "wget", "nc", "ncat", "nmap", "tcpdump",
    "python", "perl", "ruby", "gcc", "cc", "make",
    "useradd", "usermod", "groupadd", "visudo",
    "iptables", "ip6tables", "nft",
]


def parse_audit_log(log_path, max_lines=50000):
    """Parse raw audit.log file into structured events."""
    events = []
    current = {}
    try:
        with open(log_path, "r") as f:
            for i, line in enumerate(f):
                if i >= max_lines:
                    break
                match = re.match(
                    r"type=(\S+)\s+msg=audit\((\d+\.\d+):(\d+)\):\s*(.*)", line
                )
                if not match:
                    continue
                event_type = match.group(1)
                timestamp = float(match.group(2))
                event_id = match.group(3)
                data_str = match.group(4)
                fields = dict(re.findall(r'(\w+)=("[^"]*"|\S+)', data_str))
                for k, v in fields.items():
                    fields[k] = v.strip('"')
                event = {
                    "type": event_type,
                    "timestamp": datetime.datetime.fromtimestamp(timestamp).isoformat(),
                    "event_id": event_id,
                    **fields,
                }
                events.append(event)
    except FileNotFoundError:
        return {"error": f"Log file not found: {log_path}"}
    return events


def detect_privilege_escalation(events):
    """Detect privilege escalation indicators in audit events."""
    findings = []
    for e in events:
        if e.get("type") == "SYSCALL" and e.get("syscall_name") in ("setuid", "setgid", "execve"):
            if e.get("uid") != "0" and e.get("euid") == "0":
                findings.append({
                    "type": "privilege_escalation",
                    "detail": f"UID {e.get('uid')} escalated to eUID 0",
                    "command": e.get("comm", ""),
                    "exe": e.get("exe", ""),
                    "timestamp": e.get("timestamp"),
                    "severity": "CRITICAL",
                })
        if e.get("type") == "USER_CMD" and "sudo" in e.get("cmd", "").lower():
            findings.append({
                "type": "sudo_usage",
                "user": e.get("acct", e.get("uid", "")),
                "command": e.get("cmd", ""),
                "timestamp": e.get("timestamp"),
                "severity": "MEDIUM",
            })
    return findings


def detect_file_access(events):
    """Detect access to sensitive files."""
    findings = []
    for e in events:
        if e.get("type") in ("PATH", "SYSCALL"):
            path = e.get("name", e.get("exe", ""))
            for sensitive in SENSITIVE_PATHS:
                if sensitive in path:
                    findings.append({
                        "type": "sensitive_file_access",
                        "path": path,
                        "syscall": e.get("syscall_name", e.get("syscall", "")),
                        "user": e.get("uid", ""),
                        "timestamp": e.get("timestamp"),
                        "severity": "HIGH",
                    })
                    break
    return findings


def detect_suspicious_commands(events):
    """Detect execution of suspicious commands."""
    findings = []
    for e in events:
        if e.get("type") in ("EXECVE", "SYSCALL"):
            comm = e.get("comm", "").lower()
            exe = e.get("exe", "").lower()
            for cmd in SUSPICIOUS_COMMANDS:
                if cmd in comm or cmd in exe:
                    findings.append({
                        "type": "suspicious_command",
                        "command": comm,
                        "exe": exe,
                        "user": e.get("uid", ""),
                        "timestamp": e.get("timestamp"),
                        "severity": "MEDIUM",
                    })
                    break
    return findings


def run_ausearch(key=None, message_type=None, success=None):
    """Run ausearch command and return results."""
    cmd = ["ausearch"]
    if key:
        cmd.extend(["-k", key])
    if message_type:
        cmd.extend(["-m", message_type])
    if success is not None:
        cmd.extend(["--success", "yes" if success else "no"])
    cmd.extend(["--format", "csv"])
    try:
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
        return {"output": result.stdout[:5000], "exit_code": result.returncode}
    except (FileNotFoundError, subprocess.TimeoutExpired) as e:
        return {"error": str(e)}


def generate_summary(events, findings):
    """Generate audit log analysis summary."""
    event_types = collections.Counter(e.get("type") for e in events)
    finding_types = collections.Counter(f.get("type") for f in findings)
    severity_counts = collections.Counter(f.get("severity") for f in findings)
    return {
        "total_events": len(events),
        "event_types": dict(event_types.most_common(10)),
        "total_findings": len(findings),
        "finding_types": dict(finding_types),
        "by_severity": dict(severity_counts),
    }


def main():
    parser = argparse.ArgumentParser(description="Linux audit log intrusion detection agent")
    parser.add_argument("log_file", nargs="?", default="/var/log/audit/audit.log",
                        help="Path to audit.log (default: /var/log/audit/audit.log)")
    parser.add_argument("--max-lines", type=int, default=50000, help="Max log lines to parse")
    parser.add_argument("--ausearch-key", help="Run ausearch with this key")
    parser.add_argument("--output", "-o", help="Output JSON report path")
    args = parser.parse_args()

    print("[*] Linux Audit Log Intrusion Detection Agent")

    if args.ausearch_key:
        result = run_ausearch(key=args.ausearch_key)
        print(json.dumps(result, indent=2))
        sys.exit(0)

    events = parse_audit_log(args.log_file, args.max_lines)
    if isinstance(events, dict) and "error" in events:
        print(f"[!] {events['error']}")
        print("[DEMO] Specify a valid audit.log path or run on a Linux system")
        print(json.dumps({"demo": True, "monitored_syscalls": len(SUSPICIOUS_SYSCALLS)}, indent=2))
        sys.exit(0)

    findings = []
    findings.extend(detect_privilege_escalation(events))
    findings.extend(detect_file_access(events))
    findings.extend(detect_suspicious_commands(events))

    summary = generate_summary(events, findings)
    print(f"[*] Events parsed: {summary['total_events']}")
    print(f"[*] Findings: {summary['total_findings']}")
    print(f"    By severity: {summary['by_severity']}")
    for f in findings[:15]:
        print(f"  [{f['severity']}] {f['type']}: {f.get('command', f.get('path', ''))}")

    if args.output:
        report = {"summary": summary, "findings": findings}
        with open(args.output, "w") as f:
            json.dump(report, f, indent=2, default=str)

    print(json.dumps(summary, indent=2))


if __name__ == "__main__":
    main()
Keep exploring