Quiz: Audit Logging¶
2 questions
L1 (1 questions)¶
1. What is auditd and when do you use it?
Show answer
auditd is the Linux audit framework. Use it to track file access, syscalls, user logins, and privilege escalation. Key commands: auditctl -w /etc/passwd -p wa (watch for writes/attribute changes), ausearch -kL2 (1 questions)¶
1. How do you detect if someone modified system logs to cover their tracks?
Show answer
1. Ship logs to a remote syslog/SIEM in real-time (attacker can't modify remote copies).2. Use append-only log storage.
3. Compare local logs vs remote for gaps.
4. Check file timestamps with stat and look for gaps in sequence numbers.