ACE

RESPONDER

Attack Animator

Blog

Learn

Challenges

Sign in

The Linux Audit system, colloquially referred to as “auditd” in security settings, is a staple of Linux security monitoring. Its role is to log information about events occurring within a system, particularly security-relevant information. It records these events based on a relatively precise set of rules, which we can configure. Our Audit rules, how they are enriched, and how we interpret them can be the determining factor as to whether or not we are successful at defending a Linux environment. The Audit system has been around for quite a while, and despite hopes for a new user-friendly standard, it persists. It’s available for any Linux distribution you will find in a production environment. In fact, many security products still leverage Audit as their primary event source. Even if you’re fortunate enough to have ubiquitous EDR in your Linux environment, learning about the Audit system will give you a better understanding of what to expect from your tools. The universality of Audit provides an opportunity for us to collect very specific telemetry for hunting and detection purposes. Production environments, for example, have unique features that create opportunities for attackers. This is especially true today as on-prem infrastructure is hybridized with the cloud. Developers may store secrets like private keys and passwords in odd places that are not monitored by security products. They also frequently have a continuous integration/continuous deployment (CI/CD) pipeline that relies on the integrity and confidentiality of data stored on Linux systems. All it takes to illuminate these systems and alleviate a frequent source of organizational uncertainty is a basic understanding of Audit and how we can apply it using our knowledge of the protected environment. The goal of this module is to familiarize you with auditd from an analyst perspective. So we will mainly focus on rules, the events they generate, and how to interpret them. As we progress, we will look at a simple intrusion and use audit rules to uncover the attacker's actions. The events in your SIEM can be found in the following timespan: 11 Dec 2023 - 13 Dec 2023

Intro to Auditd

Share on Twitter
Share on LinkedIn

The Linux Audit system, colloquially referred to as “auditd” in security settings, is a staple of Linux security monitoring. Its role is to log information about events occurring within a system, particularly security-relevant information. It records these events based on a relatively precise set of rules, which we can configure. Our Audit rules, how they are enriched, and how we interpret them can be the determining factor as to whether or not we are successful at defending a Linux environment.

The Audit system has been around for quite a while, and despite hopes for a new user-friendly standard, it persists. It’s available for any Linux distribution you will find in a production environment. In fact, many security products still leverage Audit as their primary event source. Even if you’re fortunate enough to have ubiquitous EDR in your Linux environment, learning about the Audit system will give you a better understanding of what to expect from your tools.

The universality of Audit provides an opportunity for us to collect very specific telemetry for hunting and detection purposes. Production environments, for example, have unique features that create opportunities for attackers. This is especially true today as on-prem infrastructure is hybridized with the cloud. Developers may store secrets like private keys and passwords in odd places that are not monitored by security products. They also frequently have a continuous integration/continuous deployment (CI/CD) pipeline that relies on the integrity and confidentiality of data stored on Linux systems. All it takes to illuminate these systems and alleviate a frequent source of organizational uncertainty is a basic understanding of Audit and how we can apply it using our knowledge of the protected environment.

The goal of this module is to familiarize you with auditd from an analyst perspective. So we will mainly focus on rules, the events they generate, and how to interpret them. As we progress, we will look at a simple intrusion and use audit rules to uncover the attacker's actions.

The events in your SIEM can be found in the following timespan: 11 Dec 2023 - 13 Dec 2023

Analyst

$17.49

/mo

14 Days Free

Explore realistic pre-recorded attacks

Master full-featured defensive platforms

Browser-based challenges and modules

Extended attack videos

Grants access to Analyst content. You can cancel any time by returning to this page and following the cancellation steps.

Defender

$44.49

/mo

Instant fully interactive labs

Hands-on prevention and detection

Master offensive techniques

Security engineering exercises

Highly realistic and dynamic scenarios

Access to all Analyst-level content

Grants access to all Defender content, Analyst content and interactive lab environments. You can cancel any time by returning to this page and following the cancellation steps.