Module 3 · System Auditing and Logging 🔒

Detection requires visibility. Visibility requires logs. If your systems fall silent, you cannot investigate, cannot alert, cannot prove compliance. This module is about what to log, where to send it, and how to get real signal out of raw events.

The logging stack

1. Generation — the system produces events (auth, syscalls, application logs)
2. Collection — agents ship events from host to central pipeline
3. Storage — long-term retention, searchable
4. Analysis — alerts, dashboards, investigation workflows
5. Response — action triggered on high-confidence signals

What to log (minimum for any production system)

• Authentication events — success, failure, logout
• Authorization events — privilege changes, failed access attempts
• Process execution — what ran, by whom, with what args
• Network — outbound connections, DNS queries
• Data access — sensitive file reads/writes, database queries
• Config changes — who changed what, when
• Application errors — unhandled exceptions, 5xx responses

A common failure mode: applications log only their own business events but miss the security-relevant ones above. Build logging into application design, not bolt it on later.

Linux: auditd + journald + syslog

# /etc/audit/rules.d/security.rules

# Watch privilege changes
-w /etc/passwd -p wa -k passwd_changes
-w /etc/shadow -p wa -k shadow_changes
-w /etc/sudoers -p wa -k sudoers_changes
-w /etc/sudoers.d/ -p wa -k sudoers_changes

# Watch sensitive config
-w /etc/ssh/sshd_config -p wa -k sshd_config
-w /etc/hosts -p wa -k hosts_changes

# Catch root-level command execution
-a always,exit -F arch=b64 -S execve -F uid=0 -k root_commands

# Catch privilege escalation (non-root running commands as root)
-a always,exit -F arch=b64 -S execve -F euid=0 -F auid!=0 -k privesc

# Watch log files themselves (attacker tampering)
-w /var/log -p rwa -k log_tamper

Load with augenrules --load or service restart. View events: ausearch -k privesc.