MegaplanIT Blog's & Informational Resources

Whether you’re looking to secure your business or stay PCI compliant, MegaplanIT has a certified team of experts that can help you every step of the way. Stay informed with up-to-date blog.

Advanced Linux Auditing

Posted by MegaplanIT on 7/1/20 4:41 PM

The Need for Linux Auditing

Auditing Linux system events is critical to any organization’s governance, risk and compliance objectives. In order to conduct efficient forensic investigations and ensure accountability the proper security policies and controls have to be in place.

Compliance: Internal and external auditing requirements typically expect some level of minimum log collection.

Security: Security incident detection's are enabled by the deeper context provided by audit logs.

Forensics: Forensic investigations rely heavily on detailed and accurate audit logging.

Operations: Troubleshooting and identifying misconfigurations is sometimes only possible with advanced auditing.

Syslog and auditd

  • Syslog operates as an application and a protocol, meaning that it is capable of generating and forwarding system logs to a log aggregator.
  • Auditd operates as an application at the kernel level, meaning it has much more granular visibility, but does not have it’s own protocol and cannot forward system logs.

CISOfy/lynis Security Auditing Tool

Lynis is a security auditing tool for Linux. It performs an in-depth security scan and runs on the system itself. The primary goal is to test security defenses and provide tips for further system hardening. It will also scan for general system information, vulnerable software packages, and possible configuration issues

Policy Auditing: Highlight the differences between local policies and security baselines

Policy Reporting: Export results as a CSV or Excel Spreadsheet


Types of Auditd Rules

Control Rules File System Rules System Call Rules
Delete previous rules Monitor read Monitor specific system calls
Set buffer size Monitor write Filter on specific events to be logged
Make config immutable Monitor execution  
Panic on failure Monitor attribute changes  
Message rate limit


The Need for Auditd Configuration

Traditional Linux audit logging is great for basic compliance purposes; not for making security detections. Auditd is a Linux system service that hooks into the kernel and provides detailed information about user modifications, logon activity, use of privileged commands, administrator actions, and kernel module activity. It subsequently reports on these events to help identify malicious or anomalous activity. This allows you to better understand how intruders and malware operate on your network.

Execution Persistence Exfiltration
Module Loading Application Shimming Data Compression
Powershell Execution BITS Jobs Data Encryption
Scripting DLL Search Order Hijacking Exfiltration Over Alt Protocol & CNC
Service Execution Local Job Scheduling Remote Access Tools
User Execution Logon Scripts Remote File Copy
Linux Remote Management Scheduled Tasks Scheduled Transfer


Automating auditd Policy Configuration

Advanced Auditing: Automatically configure your local audit policy to comply with the CIS security baseline.

CentOS 7 and Ubuntu 16 Support: Out of the box support for CentOS and Ubuntu systems. Minor modifications necessary for other systems.

Deploy in Seconds: Copy and paste 3 lines of bash into a root terminal to configure everything.


If you would like to learn more about Advanced Linux Auditing and how MegaplanIT can assist you,

please contact us at the link below

Contact Us

Topics: Managed Security Services