Audit and Intrusion Detection on Linux

Auditing and intrusion detection allow you to know what happened on a system, when it happened, and who did it. Without these capabilities, a breach can go undetected for months. The Linux audit framework (auditd) records kernel-level events, AIDE checks filesystem integrity against a known baseline, fail2ban reacts to malicious patterns in real time, and centralized log analysis ties it all together. This guide covers each tool with practical configuration examples.

Hub: Linux Security Hardening | See also: SELinux & AppArmor, Firewall Best Practices

The Linux Audit Framework (auditd)

auditd is the user-space component that receives audit events from the kernel and writes them to /var/log/audit/audit.log. It can monitor file access, system calls, user commands, network connections, and changes to critical configuration files. The audit subsystem is independent of syslog, which means it continues logging even if syslog is compromised.

Installing and Starting auditd

# Install on Debian/Ubuntu
sudo apt install auditd audispd-plugins

# Install on Fedora/RHEL (usually pre-installed)
sudo dnf install audit

# Enable and start the service
sudo systemctl enable --now auditd

# Check that auditd is running
sudo auditctl -s

Adding Audit Rules with auditctl

Rules can be added temporarily with auditctl for testing, or permanently in rule files under /etc/audit/rules.d/. There are two types of rules: file watches (-w) and system call rules (-a).

# Watch /etc/passwd for writes (w) and attribute changes (a)
sudo auditctl -w /etc/passwd -p wa -k passwd_changes

# Watch /etc/shadow for any access
sudo auditctl -w /etc/shadow -p wa -k shadow_changes

# Watch the SSH server configuration
sudo auditctl -w /etc/ssh/sshd_config -p wa -k sshd_config

# Watch all files in /etc/sudoers.d/
sudo auditctl -w /etc/sudoers.d/ -p wa -k sudoers_changes

# Monitor the mount system call (detect unauthorized mounts)
sudo auditctl -a always,exit -F arch=b64 -S mount -k mount_ops

# Monitor execve to log every command executed (high volume -- use carefully)
sudo auditctl -a always,exit -F arch=b64 -S execve -k commands

# Watch for privilege escalation via su or sudo
sudo auditctl -w /usr/bin/su -p x -k priv_esc
sudo auditctl -w /usr/bin/sudo -p x -k priv_esc

# Watch for modifications to cron jobs
sudo auditctl -w /etc/crontab -p wa -k cron_changes
sudo auditctl -w /var/spool/cron/ -p wa -k cron_changes

# List all active rules
sudo auditctl -l

# Delete all rules (useful for resetting during testing)
sudo auditctl -D

Persistent Rules in /etc/audit/rules.d/

For rules that survive reboot, create files in /etc/audit/rules.d/. Files are processed in alphabetical order, so use numeric prefixes:

# /etc/audit/rules.d/10-identity.rules
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity

# /etc/audit/rules.d/20-ssh.rules
-w /etc/ssh/sshd_config -p wa -k sshd_config
-w /etc/ssh/sshd_config.d/ -p wa -k sshd_config

# /etc/audit/rules.d/30-priv-esc.rules
-w /usr/bin/su -p x -k priv_esc
-w /usr/bin/sudo -p x -k priv_esc
-w /usr/bin/passwd -p x -k passwd_cmd
-w /usr/sbin/useradd -p x -k user_mgmt
-w /usr/sbin/userdel -p x -k user_mgmt
-w /usr/sbin/usermod -p x -k user_mgmt

# /etc/audit/rules.d/40-modules.rules
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules

# Load the persistent rules into the running kernel
sudo augenrules --load

# Verify rules are loaded
sudo auditctl -l

Searching Audit Logs with ausearch and aureport

# Search by key (find all events tagged with passwd_changes)
sudo ausearch -k passwd_changes

# Search by time range
sudo ausearch -k priv_esc --start today
sudo ausearch -k identity --start "12/01/2025" --end "12/31/2025"

# Search by user ID
sudo ausearch -ua 1000

# Search by event type
sudo ausearch -m USER_LOGIN --start today

# Generate a summary report
sudo aureport --summary

# Report on authentication events
sudo aureport --auth

# Report on failed events (useful for detecting brute-force attempts)
sudo aureport --failed

# Report on file accesses
sudo aureport --file --start today

# Report on anomalous events
sudo aureport --anomaly

The output of ausearch can be piped to aureport or exported in CSV format to a SIEM for correlation with network logs and other data sources.

Filesystem Integrity Monitoring with AIDE

AIDE (Advanced Intrusion Detection Environment) creates a database of file checksums, permissions, ownership, and other metadata. Subsequent checks compare the current state of the filesystem to the baseline and report any changes, which might indicate that an attacker has modified binaries, planted backdoors, or altered configuration files.

# Install AIDE
sudo apt install aide aide-common   # Debian/Ubuntu
sudo dnf install aide                # Fedora/RHEL

# Initialize the database (scans the filesystem -- takes several minutes)
sudo aide --init

# The initial database is written to /var/lib/aide/aide.db.new
# Move it into place as the baseline
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

# Run a check against the baseline
sudo aide --check

# After legitimate changes (e.g., patching), update the database
sudo aide --update
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Configuring AIDE

The configuration file at /etc/aide/aide.conf (or /etc/aide.conf) defines which directories to monitor and what attributes to check:

# Custom rule combining common attributes
NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256

# Monitor critical system directories
/etc    NORMAL
/bin    NORMAL
/sbin   NORMAL
/usr/bin  NORMAL
/usr/sbin NORMAL
/boot   NORMAL

# Exclude directories that change frequently
!/var/log
!/var/cache
!/var/lib/apt
!/tmp
!/run

Schedule AIDE checks nightly via cron and email the results:

# /etc/cron.daily/aide-check
#!/bin/bash
/usr/bin/aide --check 2>&1 | mail -s "AIDE report for $(hostname) $(date +%F)" [email protected]

Store a copy of the AIDE database offline so that an attacker who compromises the system cannot also modify the baseline.

Fail2ban Jails Beyond SSH

Fail2ban is not limited to SSH. It ships with filters for dozens of services. Enable additional jails in /etc/fail2ban/jail.local:

[sshd]
enabled  = true
port     = ssh
maxretry = 3
bantime  = 3600

[apache-auth]
enabled  = true
port     = http,https
logpath  = /var/log/apache2/error.log
maxretry = 5
bantime  = 1800

[nginx-http-auth]
enabled  = true
port     = http,https
logpath  = /var/log/nginx/error.log
maxretry = 5

[postfix]
enabled  = true
port     = smtp,ssmtp
logpath  = /var/log/mail.log
maxretry = 5

# Reload fail2ban after changing jail.local
sudo fail2ban-client reload

# Check all active jail statuses
sudo fail2ban-client status

# Check a specific jail
sudo fail2ban-client status sshd

Log Analysis with journalctl and logwatch

journalctl

journalctl provides structured access to the systemd journal with powerful filtering:

# Show all logs since last boot
journalctl -b

# Follow logs in real time (like tail -f)
journalctl -f

# Filter by service and time
journalctl -u sshd --since "1 hour ago"
journalctl -u nginx --since "2025-12-01" --until "2025-12-02"

# Show only errors and above
journalctl -p err

# Show authentication messages (facility 10 = auth)
journalctl SYSLOG_FACILITY=10

# Show kernel messages
journalctl -k

logwatch

Logwatch summarises log files into a daily report that highlights anomalies:

sudo apt install logwatch    # Debian/Ubuntu

# Generate a high-detail report for yesterday
sudo logwatch --detail high --range yesterday --output stdout

# Email the report daily
sudo logwatch --detail high --mailto [email protected] --range yesterday

OSSEC: Full Host-Based IDS

For environments that need a comprehensive host-based intrusion detection system with centralised management, OSSEC provides real-time log analysis, file integrity monitoring, rootkit detection, and active response (automatic blocking) in a single agent-server architecture. It can replace or complement auditd and AIDE for larger deployments where centralised correlation across dozens or hundreds of hosts is required. See the OSSEC documentation for installation and configuration.

A comprehensive audit and intrusion detection strategy combines kernel-level auditing (auditd), filesystem integrity checking (AIDE), reactive blocking (fail2ban), and log analysis (journalctl, logwatch). Together they provide the visibility and response capability needed to detect breaches early and contain them before they cause lasting damage.