Attackers love operating in the dark. If you’re not logging critical security events on your Linux servers, you’re handing them a permanent stealth cloak. Remember SolarWinds? Lack of comprehensive audit logging on some endpoints delayed detection by months.
This isn’t rocket science, but I still see far too many organizations leaving their Linux boxes practically blind. auditd is your eyes and ears. It tracks file access, system calls, privilege changes – the exact trails attackers try to cover. Without it, post-exploitation tools like LinPEAS will notice and adjust their evasion tactics accordingly. Don’t make it easy for them.
Install it, enable it, configure it. It’s a foundational control, not an optional extra.
On Debian/Ubuntu systems, it’s a few simple commands: sudo apt install auditd audispd-plugins sudo systemctl enable auditd sudo systemctl start auditd
This is basic security hygiene. If you’re not doing this, you’re running a severe risk of missing the warning signs of a breach until it’s too late.
The fix
sudo apt install auditd audispd-plugins # Debian/Ubuntu
sudo systemctl enable auditd
sudo systemctl start auditd
# Key rules (/etc/audit/rules.d/audit.rules):
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /var/log/auth.log -p wa -k auth_log
-a always,exit -F arch=b64 -S execve -k exec
Reference: CIS Linux Benchmark 4.1