Audit Logging¶
30 cards — 🟢 4 easy | 🟡 9 medium | 🔴 7 hard
🟢 Easy (4)¶
1. What is the purpose of auditd on Linux?
Show answer
auditd is the Linux audit daemon that captures kernel-level events — syscalls, file access, authentication, and command execution — and writes them to /var/log/audit/audit.log for security monitoring and compliance.2. What command do you use to search Linux audit logs?
Show answer
ausearch. For example: ausearch -k identity searches by key tag, ausearch -f /etc/shadow searches by file path, and ausearch -i interprets UIDs and syscall numbers into human-readable form.Remember: audit log = 'who did what, when, and from where.' The four W's: Who, What, When, Where.
Example: '2026-03-21T14:30:00Z user=admin action=delete resource=pod/nginx namespace=production source_ip=10.0.0.5'
Fun fact: audit logs are a legal requirement in SOC 2, HIPAA, PCI-DSS, and GDPR. Without them, you fail compliance audits.
3. What command generates summary reports from Linux audit logs?
Show answer
aureport. Examples: aureport --auth for authentication events, aureport --failed for failed events, aureport --login for login report, and aureport --summary for an overall summary.Remember: audit log = 'who did what, when, and from where.' The four W's: Who, What, When, Where.
Example: '2026-03-21T14:30:00Z user=admin action=delete resource=pod/nginx namespace=production source_ip=10.0.0.5'
Fun fact: audit logs are a legal requirement in SOC 2, HIPAA, PCI-DSS, and GDPR. Without them, you fail compliance audits.
4. What are the four stages of an audit log pipeline from source to analysis?
Show answer
1) Collection: auditd, application audit events, cloud API logs. 2) Shipping: Filebeat, Fluentd, or audisp-remote to centralized storage. 3) Storage: SIEM, Elasticsearch, S3 with indexing. 4) Analysis: dashboards, alerts on anomalies, scheduled compliance reports, and forensic search capability.Remember: audit log = 'who did what, when, and from where.' The four W's: Who, What, When, Where.
Example: '2026-03-21T14:30:00Z user=admin action=delete resource=pod/nginx namespace=production source_ip=10.0.0.5'
🟡 Medium (9)¶
1. How do you add a file watch audit rule, and what do the -p flags mean?
Show answer
Use auditctl -w /path -p wa -k tag_name. The -p flags are: r (read), w (write), x (execute), a (attribute change). The -k flag sets a searchable key tag.2. What happens when disk_full_action is set to HALT in auditd.conf?
Show answer
The system halts (stops) rather than continuing to operate without audit coverage. This is a compliance requirement in some frameworks — it is better to stop than to run unaudited.3. What are the four audit logging levels in Kubernetes, from least to most verbose?
Show answer
None (nothing logged), Metadata (request metadata only — user, timestamp, resource, verb), Request (metadata + request body), and RequestResponse (metadata + request body + response body).Remember: audit log = 'who did what, when, and from where.' The four W's: Who, What, When, Where.
Example: '2026-03-21T14:30:00Z user=admin action=delete resource=pod/nginx namespace=production source_ip=10.0.0.5'
Fun fact: audit logs are a legal requirement in SOC 2, HIPAA, PCI-DSS, and GDPR. Without them, you fail compliance audits.
4. What is the difference between auditctl and /etc/audit/audit.rules?
Show answer
auditctl adds rules at runtime (lost on reboot). /etc/audit/audit.rules contains persistent rules loaded at boot. Use auditctl for testing, then add working rules to audit.rules for persistence.Remember: comparison questions are best answered with a structured format: name the key dimensions (use case, performance, complexity, cost) and compare each.
5. What are the key differences between Filebeat and Fluentd for shipping audit logs?
Show answer
Filebeat is lightweight and Go-based, designed for tailing log files and shipping to Elasticsearch/Logstash. Fluentd is a general-purpose log router (Ruby/C) with 800+ plugins supporting many backends. Use Filebeat for simple ELK pipelines; Fluentd or Fluent Bit for complex multi-destination routing.Remember: audit log = 'who did what, when, and from where.' The four W's: Who, What, When, Where.
Example: '2026-03-21T14:30:00Z user=admin action=delete resource=pod/nginx namespace=production source_ip=10.0.0.5'
6. How do you filter audit log noise without losing security-relevant events?
Show answer
Use targeted audit rules instead of broad syscall monitoring. Exclude known-safe processes by executable path (-F exe!=/usr/bin/known-safe). Filter high-frequency read-only events on non-sensitive paths. Test rule changes in permissive mode first and compare event volumes before and after.Remember: defense in depth — layer multiple security controls. No single mechanism is sufficient. Assume breach and design for containment.
7. How do you estimate disk usage for Linux audit logs?
Show answer
Measure baseline event rate (aureport --summary gives events/day). Typical auditd events are 200-500 bytes each. A moderately audited server generates 50-200 MB/day. Multiply by retention period and number of hosts. Budget 2-5x headroom for incident spikes when audit rules trigger more events.8. How does Falco differ from auditd for container runtime security?
Show answer
auditd operates at the kernel syscall level and is host-scoped — it does not understand container boundaries. Falco consumes kernel events (via eBPF or kernel module) but adds container-aware rules: it knows which pod, namespace, and image triggered the syscall, enabling policies like 'alert if shell spawns in production namespace'.Remember: defense in depth — layer multiple security controls. No single mechanism is sufficient. Assume breach and design for containment.
9. How do you ensure audit log integrity against tampering by a compromised host?
Show answer
Ship logs to a remote append-only store in near real-time (Filebeat → Elasticsearch with ILM, or syslog to a hardened log server). On the host, set auditd space_left_action=exec to alert when disk fills, and use immutable mode (-e 2) to lock audit rules until reboot. Remote copies survive local tampering.Remember: ship logs off-box immediately. If an attacker can modify the audit log on the same system they compromised, the log is worthless.
Example: forward to a WORM (Write Once Read Many) S3 bucket with Object Lock enabled. Even admins cannot delete or modify entries.
🔴 Hard (7)¶
1. How would you configure Kubernetes audit logging to capture all secret access and pod exec commands?
Show answer
In the audit policy YAML, add a rule with level: Metadata for resources: ["secrets"] and level: RequestResponse for resources: ["pods/exec", "pods/attach"]. Pass the policy file via --audit-policy-file to the API server.2. Why must audit logs be shipped off-host, and what are common methods?
Show answer
An attacker with host access can delete local logs to cover their tracks. Ship logs off-host via audisp-remote (real-time), or file-based collection with Filebeat/Fluentd to a central SIEM. Central logs are tamper-evident.Remember: audit log = 'who did what, when, and from where.' The four W's: Who, What, When, Where.
Example: '2026-03-21T14:30:00Z user=admin action=delete resource=pod/nginx namespace=production source_ip=10.0.0.5'
3. How do audit logging requirements differ between PCI DSS, HIPAA, and SOC 2?
Show answer
PCI DSS requires logging all access to cardholder data and privileged actions. HIPAA requires logging all access to protected health information and user sessions. SOC 2 requires logging system changes, access events, and security incidents. All require centralized, tamper-evident retention.Remember: SOC 2 = Service Organization Control. Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy. Mnemonic: 'SAPCP.'
4. What are the minimum log retention periods required by common compliance frameworks?
Show answer
PCI DSS: 1 year minimum, 3 months immediately accessible. HIPAA: 6 years. SOC 2: typically 1 year (per organization policy). GDPR: no fixed period but must justify retention. FedRAMP: 90 days online, 1 year archived. Design tiered storage: hot (30-90 days), warm (1 year), cold (long-term archive).Gotcha: 90-day retention is the minimum for most compliance frameworks. PCI-DSS requires 1 year. Plan storage costs accordingly.
5. How do you ensure audit logs are immutable and tamper-proof?
Show answer
Ship logs to append-only storage (S3 Object Lock, WORM-compliant storage). Use cryptographic chaining where each log entry includes a hash of the previous entry. Enable write-once audit log configurations (auditd space_left_action=email, admin_space_left_action=halt). Separate log storage credentials from system admin credentials.Remember: ship logs off-box immediately. If an attacker can modify the audit log on the same system they compromised, the log is worthless.
Example: forward to a WORM (Write Once Read Many) S3 bucket with Object Lock enabled. Even admins cannot delete or modify entries.
6. How do you correlate Linux auditd events with Kubernetes audit log entries?
Show answer
Match on timestamps, UIDs, and PIDs. Kubernetes audit logs record the user, verb, and resource; auditd logs the corresponding syscalls and file accesses. Shipping both to the same SIEM with a common node identifier lets you query: 'which syscalls did this kubectl exec trigger?' by joining on time window and PID.7. What audit rules detect privilege escalation attempts on a Linux host?