cdn
+
+
==
fortran
bbedit
tls
ray
+
+
neo4j
+
swc
+
rubymine
perl
+
+
+
ios
+
quarkus
+
+
c#
--
//
vue
+
gatsby
+
sqlite
+
+
+
rb
+
+
perl
+
&
postgres
0x
+
+
+
jenkins
kali
npm
+
+
c
+
+
delphi
+
+
asm
โˆ‰
express
vercel
>=
spacy
+
+
+
+
+
composer
+
next
htmx
+
+
+
+
+
โˆ‰
!=
gatsby
rollup
+
+
+
+
+
+
groovy
prometheus
Back to Blog
๐Ÿ” Setting Up Audit Logging: Simple Guide
Alpine Linux Audit Logging Security

๐Ÿ” Setting Up Audit Logging: Simple Guide

Published Jun 4, 2025

Easy tutorial for setting up comprehensive audit logging on Alpine Linux. Perfect for beginners with step-by-step instructions and security examples.

13 min read
0 views
Table of Contents

๐Ÿ” Setting Up Audit Logging: Simple Guide

Ready to secure your system with professional logging? This is important! ๐ŸŽ‰ Weโ€™ll set up comprehensive audit logging on Alpine Linux. Track everything like a security expert! ๐Ÿ˜Š

๐Ÿค” What is Audit Logging?

Audit logging records what happens on your system - who did what, when, and where. Think of it like security cameras for your computer!

Audit logging helps with:

  • ๐Ÿ•ต๏ธ Tracking user activities and system events
  • ๐Ÿ” Meeting security compliance requirements
  • ๐Ÿšจ Detecting suspicious activities and intrusions

๐ŸŽฏ What You Need

Before we start, you need:

  • โœ… Alpine Linux system with root access
  • โœ… Understanding of basic security concepts
  • โœ… Knowledge of file permissions and users
  • โœ… Adequate disk space for log storage

๐Ÿ“‹ Step 1: Installing Audit Framework

Install auditd (Linux Audit Daemon)

Letโ€™s install the professional audit system! This is the foundation! ๐Ÿ˜Š

What weโ€™re doing: Installing the Linux audit daemon and utilities.

# Update package repository
apk update

# Install audit daemon and tools
apk add audit audit-libs

# Install additional logging tools
apk add rsyslog logrotate

# Install analysis tools
apk add grep awk sed

# Verify installation
auditd --version
auditctl --version

What this does: ๐Ÿ“– Installs the complete audit logging infrastructure.

Example output:

auditd version 3.0.9
auditctl version 3.0.9
โœ… Audit framework installed successfully

What this means: Your system is ready for professional audit logging! โœ…

Configure Audit Daemon

What weโ€™re doing: Setting up the basic audit daemon configuration.

# Create audit configuration
cat > /etc/audit/auditd.conf << 'EOF'
# Audit daemon configuration
log_file = /var/log/audit/audit.log
log_format = ENRICHED
log_group = adm
priority_boost = 4
flush = INCREMENTAL_ASYNC
freq = 50
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = HOSTNAME
max_log_file = 50
max_log_file_action = ROTATE
space_left = 25
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 10
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
EOF

# Set proper permissions
chmod 640 /etc/audit/auditd.conf
chown root:root /etc/audit/auditd.conf

# Create audit log directory
mkdir -p /var/log/audit
chmod 755 /var/log/audit

# Enable and start audit service
rc-update add auditd default
rc-service auditd start

Code explanation:

  • log_file: Where audit logs are stored
  • max_log_file: Maximum size before rotation (50MB)
  • space_left_action: What to do when disk space gets low
  • ENRICHED: Includes additional context in logs

Expected Output:

โœ… Audit daemon configured
โœ… Audit service started

What this means: Professional audit logging is now active! ๐ŸŒŸ

๐Ÿ’ก Important Tips

Tip: Monitor disk space regularly - audit logs can grow quickly! ๐Ÿ’ก

Warning: Never disable audit logging on production systems! โš ๏ธ

๐Ÿ› ๏ธ Step 2: Configuring Audit Rules

Set Up File System Monitoring

Time to configure what we want to monitor! This is powerful! ๐ŸŽฏ

What weโ€™re doing: Creating audit rules to monitor critical files and directories.

# Create comprehensive audit rules
cat > /etc/audit/rules.d/audit.rules << 'EOF'
# Alpine Linux Audit Rules
# ========================

# Remove any existing rules
-D

# Set buffer size
-b 8192

# Set failure mode (0=silent, 1=printk, 2=panic)
-f 1

# Monitor critical system files
-w /etc/passwd -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/sudoers -p wa -k identity
-w /etc/sudoers.d/ -p wa -k identity

# Monitor system configuration
-w /etc/hosts -p wa -k system-config
-w /etc/hostname -p wa -k system-config
-w /etc/timezone -p wa -k system-config
-w /etc/localtime -p wa -k system-config

# Monitor network configuration
-w /etc/network/ -p wa -k network-config
-w /etc/resolv.conf -p wa -k network-config

# Monitor security configurations
-w /etc/ssh/sshd_config -p wa -k ssh-config
-w /etc/ssl/ -p wa -k ssl-config
-w /etc/audit/ -p wa -k audit-config

# Monitor kernel modules
-w /etc/modprobe.conf -p wa -k modules
-w /etc/modprobe.d/ -p wa -k modules
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules

# Monitor login/logout events
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins

# Monitor privilege escalation
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k privilege-escalation
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k privilege-escalation

# Monitor file permission changes
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k file-permissions
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k file-permissions

# Monitor file ownership changes
-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k file-ownership
-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k file-ownership

# Monitor network activities
-a always,exit -F arch=b64 -S socket -F a0=10 -k network-ipv4
-a always,exit -F arch=b64 -S socket -F a0=2 -k network-ipv4
-a always,exit -F arch=b32 -S socket -F a0=10 -k network-ipv4
-a always,exit -F arch=b32 -S socket -F a0=2 -k network-ipv4

# Make rules immutable (comment out for testing)
# -e 2
EOF

# Load the audit rules
auditctl -R /etc/audit/rules.d/audit.rules

# Verify rules are loaded
auditctl -l

echo "Audit rules configured! ๐Ÿ”"

What this does: Monitors critical system activities and security events! ๐Ÿ“š

Create User Activity Monitoring

What weโ€™re doing: Setting up detailed user activity tracking.

# Add user-specific audit rules
cat > /etc/audit/rules.d/user-activity.rules << 'EOF'
# User Activity Monitoring Rules
# ==============================

# Monitor user authentication
-w /var/log/auth.log -p wa -k user-auth
-w /var/log/secure -p wa -k user-auth

# Monitor sudo usage
-w /var/log/sudo.log -p wa -k sudo-usage
-a always,exit -F arch=b64 -F euid=0 -S execve -k root-commands
-a always,exit -F arch=b32 -F euid=0 -S execve -k root-commands

# Monitor user home directories (for sensitive files)
-w /home/ -p wa -k user-home

# Monitor temporary directories
-w /tmp/ -p wa -k temp-files
-w /var/tmp/ -p wa -k temp-files

# Monitor cron and scheduled tasks
-w /etc/crontab -p wa -k scheduled-tasks
-w /etc/cron.d/ -p wa -k scheduled-tasks
-w /var/spool/cron/ -p wa -k scheduled-tasks

# Monitor package management
-w /usr/bin/apk -p x -k package-management
-w /var/cache/apk/ -p wa -k package-management

# Monitor system services
-w /etc/init.d/ -p wa -k system-services
-w /etc/rc.conf -p wa -k system-services
EOF

# Load user activity rules
auditctl -R /etc/audit/rules.d/user-activity.rules

# Create monitoring script
cat > /usr/local/bin/audit-monitor.sh << 'EOF'
#!/bin/sh
# Audit Log Monitor

LOG_FILE="/var/log/audit/audit.log"
REPORT_FILE="/var/log/audit/daily-report.txt"

generate_daily_report() {
    echo "๐Ÿ” Daily Audit Report - $(date)" > "$REPORT_FILE"
    echo "=================================" >> "$REPORT_FILE"
    
    # Authentication events
    echo -e "\n๐Ÿ“‹ Authentication Events:" >> "$REPORT_FILE"
    ausearch -ts yesterday -k user-auth | auparse -i | grep -E "(user|login|auth)" | head -10 >> "$REPORT_FILE"
    
    # Privilege escalation
    echo -e "\nโšก Privilege Escalation:" >> "$REPORT_FILE"
    ausearch -ts yesterday -k privilege-escalation | auparse -i | head -5 >> "$REPORT_FILE"
    
    # File modifications
    echo -e "\n๐Ÿ“ Critical File Changes:" >> "$REPORT_FILE"
    ausearch -ts yesterday -k identity -k system-config | auparse -i | head -10 >> "$REPORT_FILE"
    
    # Network activities
    echo -e "\n๐ŸŒ Network Activities:" >> "$REPORT_FILE"
    ausearch -ts yesterday -k network-ipv4 | auparse -i | head -5 >> "$REPORT_FILE"
    
    # Summary statistics
    echo -e "\n๐Ÿ“Š Summary:" >> "$REPORT_FILE"
    echo "Total events: $(wc -l < $LOG_FILE)" >> "$REPORT_FILE"
    echo "Report generated: $(date)" >> "$REPORT_FILE"
}

# Generate report
generate_daily_report

echo "Daily audit report generated: $REPORT_FILE"
EOF

chmod +x /usr/local/bin/audit-monitor.sh

echo "User activity monitoring configured! ๐Ÿ‘ฅ"

Expected Output:

Audit rules configured! ๐Ÿ”
User activity monitoring configured! ๐Ÿ‘ฅ

What this means: Your system now tracks all user activities! ๐ŸŽ‰

๐Ÿ“Š Quick Summary Table

Monitor TypePurposeKey Files
๐Ÿ” System FilesTrack config changesโœ… /etc/passwd, /etc/shadow
๐Ÿ‘ฅ User ActivityMonitor user actionsโœ… /home/, /tmp/
๐ŸŒ Network EventsTrack connectionsโœ… Socket system calls
โšก Privilege ChangesDetect escalationโœ… sudo, su commands

๐ŸŽฎ Step 3: Log Analysis and Alerting

Set Up Real-time Monitoring

Letโ€™s create intelligent monitoring that alerts you to threats! This is advanced! ๐ŸŒŸ

What weโ€™re doing: Building real-time threat detection and alerting.

# Install real-time analysis tools
apk add python3 py3-pip

# Create threat detection script
cat > /usr/local/bin/audit-threat-detector.sh << 'EOF'
#!/bin/bash
# Real-time Audit Threat Detector

AUDIT_LOG="/var/log/audit/audit.log"
ALERT_LOG="/var/log/audit/alerts.log"
ALERT_EMAIL="[email protected]"

# Threat patterns to monitor
declare -A THREATS=(
    ["multiple_failed_logins"]="authentication failure.*authentication failure.*authentication failure"
    ["privilege_escalation"]="execve.*euid=0.*auid"
    ["suspicious_network"]="socket.*family=2.*type=1"
    ["config_tampering"]="SYSCALL.*name=/etc/(passwd|shadow|sudoers)"
    ["unusual_time"]="$(date +%H):([02-05][0-9]|0[0-5])"
)

# Function to send alert
send_alert() {
    local threat_type="$1"
    local details="$2"
    local timestamp=$(date)
    
    # Log alert
    echo "[$timestamp] THREAT DETECTED: $threat_type - $details" >> "$ALERT_LOG"
    
    # Send email if configured
    if command -v mail >/dev/null && [ -n "$ALERT_EMAIL" ]; then
        echo "SECURITY ALERT: $threat_type detected at $timestamp. Details: $details" | \
            mail -s "Alpine Linux Security Alert" "$ALERT_EMAIL"
    fi
    
    # Console notification
    echo "๐Ÿšจ THREAT DETECTED: $threat_type"
    echo "   Time: $timestamp"
    echo "   Details: $details"
}

# Function to analyze log entries
analyze_threats() {
    # Read new entries (last 100 lines)
    tail -100 "$AUDIT_LOG" | while IFS= read -r line; do
        for threat_name in "${!THREATS[@]}"; do
            if echo "$line" | grep -qE "${THREATS[$threat_name]}"; then
                send_alert "$threat_name" "$line"
            fi
        done
    done
}

# Monitor for suspicious patterns
monitor_patterns() {
    echo "๐Ÿ” Starting threat pattern monitoring..."
    
    # Check for multiple failed logins in last hour
    failed_logins=$(ausearch -ts $(date -d '1 hour ago' '+%H:%M:%S') -m USER_AUTH -sv no 2>/dev/null | wc -l)
    if [ "$failed_logins" -gt 5 ]; then
        send_alert "multiple_failed_logins" "$failed_logins failed login attempts in last hour"
    fi
    
    # Check for off-hours activity
    current_hour=$(date +%H)
    if [ "$current_hour" -ge 22 ] || [ "$current_hour" -le 6 ]; then
        recent_activity=$(ausearch -ts $(date -d '10 minutes ago' '+%H:%M:%S') 2>/dev/null | wc -l)
        if [ "$recent_activity" -gt 10 ]; then
            send_alert "off_hours_activity" "Unusual activity detected during off hours"
        fi
    fi
    
    # Check for rapid privilege changes
    priv_changes=$(ausearch -ts $(date -d '5 minutes ago' '+%H:%M:%S') -k privilege-escalation 2>/dev/null | wc -l)
    if [ "$priv_changes" -gt 3 ]; then
        send_alert "rapid_privilege_changes" "$priv_changes privilege escalations in 5 minutes"
    fi
}

# Main execution
case "$1" in
    "analyze")
        analyze_threats
        ;;
    "monitor")
        monitor_patterns
        ;;
    "continuous")
        echo "๐Ÿ”„ Starting continuous monitoring..."
        while true; do
            monitor_patterns
            analyze_threats
            sleep 60
        done
        ;;
    *)
        echo "Usage: $0 {analyze|monitor|continuous}"
        echo "  analyze    - Analyze current log entries"
        echo "  monitor    - Check for threat patterns"
        echo "  continuous - Run continuous monitoring"
        ;;
esac
EOF

chmod +x /usr/local/bin/audit-threat-detector.sh

# Set up automated monitoring
echo "*/5 * * * * /usr/local/bin/audit-threat-detector.sh monitor" | crontab -

# Test threat detection
/usr/local/bin/audit-threat-detector.sh monitor

echo "Real-time threat detection configured! ๐Ÿšจ"

What this does: Creates intelligent threat detection with real-time alerts! ๐Ÿš€

Create Compliance Reports

What weโ€™re doing: Building comprehensive compliance and audit reports.

# Create compliance reporting script
cat > /usr/local/bin/audit-compliance-report.sh << 'EOF'
#!/bin/bash
# Audit Compliance Report Generator

REPORT_DIR="/var/log/audit/reports"
DATE=$(date +%Y%m%d)
REPORT_FILE="$REPORT_DIR/compliance-report-$DATE.html"

# Create report directory
mkdir -p "$REPORT_DIR"

# Generate HTML compliance report
cat > "$REPORT_FILE" << 'HTML_EOF'
<!DOCTYPE html>
<html>
<head>
    <title>Alpine Linux Audit Compliance Report</title>
    <style>
        body { font-family: Arial, sans-serif; margin: 20px; }
        .header { background: #2c3e50; color: white; padding: 20px; border-radius: 5px; }
        .section { margin: 20px 0; padding: 15px; border: 1px solid #ddd; border-radius: 5px; }
        .pass { background: #d5f4e6; }
        .warning { background: #fff3cd; }
        .fail { background: #f8d7da; }
        table { width: 100%; border-collapse: collapse; margin: 10px 0; }
        th, td { border: 1px solid #ddd; padding: 8px; text-align: left; }
        th { background: #f2f2f2; }
        .metric { display: inline-block; margin: 10px; padding: 15px; border-radius: 5px; background: #e9ecef; }
    </style>
</head>
<body>
    <div class="header">
        <h1>๐Ÿ” Audit Compliance Report</h1>
        <p>Generated on: $(date)</p>
        <p>System: $(hostname)</p>
    </div>
HTML_EOF

# Add audit configuration status
cat >> "$REPORT_FILE" << 'HTML_EOF'
    <div class="section pass">
        <h2>๐Ÿ“‹ Audit Configuration Status</h2>
        <div class="metric">
            <strong>Audit Service:</strong> $(rc-service auditd status 2>&1 | grep -o "started\|stopped\|crashed")
        </div>
        <div class="metric">
            <strong>Active Rules:</strong> $(auditctl -l | wc -l)
        </div>
        <div class="metric">
            <strong>Log File Size:</strong> $(du -sh /var/log/audit/audit.log 2>/dev/null || echo "0")
        </div>
    </div>
HTML_EOF

# Add authentication events summary
auth_events=$(ausearch -ts yesterday -m USER_AUTH 2>/dev/null | grep -c "type=USER_AUTH" || echo "0")
failed_auths=$(ausearch -ts yesterday -m USER_AUTH -sv no 2>/dev/null | grep -c "res=failed" || echo "0")

cat >> "$REPORT_FILE" << HTML_EOF
    <div class="section $([ $failed_auths -gt 10 ] && echo "warning" || echo "pass")">
        <h2>๐Ÿ” Authentication Summary</h2>
        <table>
            <tr><th>Metric</th><th>Count</th><th>Status</th></tr>
            <tr><td>Total Authentication Events</td><td>$auth_events</td><td>$([ $auth_events -gt 0 ] && echo "โœ… Active" || echo "โš ๏ธ Low")</td></tr>
            <tr><td>Failed Authentication Attempts</td><td>$failed_auths</td><td>$([ $failed_auths -gt 10 ] && echo "โš ๏ธ High" || echo "โœ… Normal")</td></tr>
            <tr><td>Success Rate</td><td>$([ $auth_events -gt 0 ] && echo "scale=2; ($auth_events-$failed_auths)*100/$auth_events" | bc || echo "0")%</td><td>$([ $failed_auths -lt 5 ] && echo "โœ… Good" || echo "โš ๏ธ Review")</td></tr>
        </table>
    </div>
HTML_EOF

# Add file access monitoring
file_changes=$(ausearch -ts yesterday -k identity,system-config 2>/dev/null | grep -c "type=SYSCALL" || echo "0")

cat >> "$REPORT_FILE" << HTML_EOF
    <div class="section $([ $file_changes -gt 50 ] && echo "warning" || echo "pass")">
        <h2>๐Ÿ“ File Access Monitoring</h2>
        <table>
            <tr><th>Category</th><th>Events</th><th>Assessment</th></tr>
            <tr><td>Critical File Changes</td><td>$(ausearch -ts yesterday -k identity 2>/dev/null | grep -c "type=SYSCALL" || echo "0")</td><td>$([ $file_changes -lt 10 ] && echo "โœ… Stable" || echo "โš ๏ธ Active")</td></tr>
            <tr><td>Configuration Changes</td><td>$(ausearch -ts yesterday -k system-config 2>/dev/null | grep -c "type=SYSCALL" || echo "0")</td><td>โœ… Monitored</td></tr>
            <tr><td>Network Config Changes</td><td>$(ausearch -ts yesterday -k network-config 2>/dev/null | grep -c "type=SYSCALL" || echo "0")</td><td>โœ… Tracked</td></tr>
        </table>
    </div>
HTML_EOF

# Add privilege escalation monitoring
priv_events=$(ausearch -ts yesterday -k privilege-escalation 2>/dev/null | grep -c "type=SYSCALL" || echo "0")

cat >> "$REPORT_FILE" << HTML_EOF
    <div class="section $([ $priv_events -gt 20 ] && echo "warning" || echo "pass")">
        <h2>โšก Privilege Escalation Monitoring</h2>
        <table>
            <tr><th>Activity</th><th>Count</th><th>Risk Level</th></tr>
            <tr><td>Privilege Escalations</td><td>$priv_events</td><td>$([ $priv_events -gt 20 ] && echo "โš ๏ธ High" || echo "โœ… Normal")</td></tr>
            <tr><td>Root Commands</td><td>$(ausearch -ts yesterday -k root-commands 2>/dev/null | grep -c "type=SYSCALL" || echo "0")</td><td>โœ… Monitored</td></tr>
            <tr><td>Sudo Usage</td><td>$(ausearch -ts yesterday -k sudo-usage 2>/dev/null | grep -c "type=SYSCALL" || echo "0")</td><td>โœ… Tracked</td></tr>
        </table>
    </div>
HTML_EOF

# Add compliance recommendations
cat >> "$REPORT_FILE" << 'HTML_EOF'
    <div class="section">
        <h2>๐Ÿ“Š Compliance Recommendations</h2>
        <ul>
            <li>โœ… Audit logging is active and comprehensive</li>
            <li>โœ… Critical system files are monitored</li>
            <li>โœ… User authentication events are tracked</li>
            <li>โœ… Privilege escalation monitoring is enabled</li>
            <li>โš ๏ธ Consider implementing log centralization</li>
            <li>โš ๏ธ Review retention policies for compliance requirements</li>
        </ul>
    </div>
    
    <div class="section">
        <h2>๐Ÿ”ง Next Steps</h2>
        <ol>
            <li>Review failed authentication patterns</li>
            <li>Implement automated response procedures</li>
            <li>Set up centralized log management</li>
            <li>Configure additional compliance rules as needed</li>
        </ol>
    </div>
</body>
</html>
HTML_EOF

echo "๐Ÿ“Š Compliance report generated: $REPORT_FILE"

# Set up weekly report generation
(crontab -l 2>/dev/null; echo "0 8 * * 1 /usr/local/bin/audit-compliance-report.sh") | crontab -

EOF

chmod +x /usr/local/bin/audit-compliance-report.sh

# Generate initial report
/usr/local/bin/audit-compliance-report.sh

echo "Compliance reporting configured! ๐Ÿ“‹"

Expected Output:

Real-time threat detection configured! ๐Ÿšจ
๐Ÿ“Š Compliance report generated: /var/log/audit/reports/compliance-report-20250604.html
Compliance reporting configured! ๐Ÿ“‹

What this means: You have enterprise-grade audit logging with compliance reporting! ๐ŸŽ‰

๐ŸŽฎ Practice Time!

Letโ€™s practice what you learned! Try these examples:

Example 1: Simulate Security Events ๐ŸŸข

What weโ€™re doing: Testing the audit system with simulated security events.

# Test user authentication monitoring
echo "๐Ÿงช Testing authentication monitoring..."
su - nonexistent-user 2>/dev/null || echo "Expected failure"

# Test file modification monitoring
echo "๐Ÿงช Testing file monitoring..."
touch /etc/test-audit-file
echo "test content" > /etc/test-audit-file
rm /etc/test-audit-file

# Test privilege escalation monitoring
echo "๐Ÿงช Testing privilege monitoring..."
sudo echo "Testing sudo access"

# Check audit logs for our test events
echo "๐Ÿ“‹ Checking audit logs..."
ausearch -ts recent -k identity | tail -5
ausearch -ts recent -k privilege-escalation | tail -3

# Run threat detection
/usr/local/bin/audit-threat-detector.sh analyze

echo "Security event simulation completed! โœ…"

What this does: Verifies your audit system captures security events! ๐ŸŒŸ

Example 2: Create Custom Audit Rules ๐ŸŸก

What weโ€™re doing: Adding custom monitoring for specific applications.

# Create custom application monitoring
cat > /etc/audit/rules.d/custom-apps.rules << 'EOF'
# Custom Application Monitoring
# =============================

# Monitor web server access
-w /var/log/nginx/ -p wa -k web-server
-w /etc/nginx/ -p wa -k web-server-config

# Monitor database access
-w /var/lib/mysql/ -p wa -k database
-w /etc/mysql/ -p wa -k database-config

# Monitor application logs
-w /var/log/app/ -p wa -k application-logs

# Monitor custom scripts
-w /usr/local/bin/ -p wa -k custom-scripts
-w /opt/ -p wa -k optional-software

# Monitor docker if installed
-w /var/lib/docker/ -p wa -k docker
-w /etc/docker/ -p wa -k docker-config
EOF

# Load custom rules
auditctl -R /etc/audit/rules.d/custom-apps.rules

# Create custom monitoring script
cat > /usr/local/bin/custom-audit-monitor.sh << 'EOF'
#!/bin/bash
# Custom Application Audit Monitor

echo "๐Ÿ” Custom Application Audit Report"
echo "=================================="

# Web server monitoring
echo "๐ŸŒ Web Server Activity:"
ausearch -ts today -k web-server | auparse -i | head -5

# Database monitoring
echo -e "\n๐Ÿ’พ Database Activity:"
ausearch -ts today -k database | auparse -i | head -5

# Application monitoring
echo -e "\n๐Ÿ“ฑ Application Activity:"
ausearch -ts today -k application-logs | auparse -i | head -5

# Custom scripts monitoring
echo -e "\n๐Ÿ”ง Custom Scripts Activity:"
ausearch -ts today -k custom-scripts | auparse -i | head -5

echo -e "\nโœ… Custom monitoring report completed"
EOF

chmod +x /usr/local/bin/custom-audit-monitor.sh

# Test custom monitoring
/usr/local/bin/custom-audit-monitor.sh

echo "Custom audit rules configured! ๐Ÿ“š"

What this does: Provides application-specific security monitoring! ๐Ÿ“š

๐Ÿšจ Fix Common Problems

Problem 1: Audit logs filling disk โŒ

What happened: Audit logs consuming too much disk space. How to fix it: Configure log rotation and cleanup!

# Configure log rotation
cat > /etc/logrotate.d/audit << 'EOF'
/var/log/audit/audit.log {
    daily
    rotate 30
    compress
    delaycompress
    missingok
    notifempty
    create 0640 root adm
    postrotate
        /bin/kill -HUP $(cat /var/run/auditd.pid 2>/dev/null) 2>/dev/null || true
    endscript
}
EOF

# Test log rotation
logrotate -d /etc/logrotate.d/audit

# Clean old logs manually if needed
find /var/log/audit -name "*.log.*" -mtime +30 -delete

Problem 2: Too many audit events โŒ

What happened: System performance impacted by excessive logging. How to fix it: Optimize audit rules!

# Check audit rule efficiency
auditctl -s

# Remove unnecessary rules
auditctl -D

# Add only essential rules
cat > /etc/audit/rules.d/essential.rules << 'EOF'
# Essential audit rules only
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k identity
-a always,exit -F arch=b64 -F euid=0 -S execve -k root-commands
EOF

# Reload essential rules
auditctl -R /etc/audit/rules.d/essential.rules

Problem 3: Audit service not starting โŒ

What happened: auditd fails to start or crashes. How to fix it: Check configuration and permissions!

# Check audit service status
rc-service auditd status

# Check configuration syntax
auditd -f /etc/audit/auditd.conf -t

# Check log file permissions
ls -la /var/log/audit/

# Fix permissions if needed
chown root:adm /var/log/audit/audit.log
chmod 640 /var/log/audit/audit.log

# Restart service
rc-service auditd restart

Donโ€™t worry! Audit logging requires fine-tuning. Youโ€™re doing great! ๐Ÿ’ช

๐Ÿ’ก Simple Tips

  1. Start with basics ๐Ÿ“… - Monitor critical files first
  2. Monitor disk space ๐ŸŒฑ - Audit logs grow quickly
  3. Test rules regularly ๐Ÿค - Verify monitoring works
  4. Automate analysis ๐Ÿ’ช - Use scripts for reporting

โœ… Check Everything Works

Letโ€™s verify audit logging is fully functional:

# Complete audit system verification
echo "๐Ÿ” Audit Logging System Verification"
echo "===================================="

# Check 1: Audit service status
echo "1. Checking audit service..."
rc-service auditd status

# Check 2: Audit rules
echo "2. Checking audit rules..."
auditctl -l | wc -l

# Check 3: Log file status
echo "3. Checking log files..."
ls -la /var/log/audit/

# Check 4: Recent events
echo "4. Checking recent events..."
ausearch -ts recent | tail -5

# Check 5: Threat detection
echo "5. Testing threat detection..."
/usr/local/bin/audit-threat-detector.sh monitor

# Check 6: Compliance report
echo "6. Generating compliance report..."
/usr/local/bin/audit-compliance-report.sh

echo "Audit logging verification completed! โœ…"

Good output:

1. Checking audit service... โœ… auditd [started]
2. Checking audit rules... โœ… 25 rules loaded
3. Checking log files... โœ… audit.log present
4. Checking recent events... โœ… Events captured
5. Testing threat detection... โœ… Monitoring active
6. Generating compliance report... โœ… Report generated
Audit logging verification completed! โœ…

๐Ÿ† What You Learned

Great job! Now you can:

  • โœ… Install and configure the Linux audit daemon on Alpine Linux
  • โœ… Set up comprehensive monitoring rules for security events
  • โœ… Create real-time threat detection and alerting systems
  • โœ… Generate professional compliance and audit reports!

๐ŸŽฏ Whatโ€™s Next?

Now you can try:

  • ๐Ÿ“š Learning about SIEM integration and log centralization
  • ๐Ÿ› ๏ธ Setting up advanced threat hunting with machine learning
  • ๐Ÿค Implementing automated incident response procedures
  • ๐ŸŒŸ Building compliance frameworks for specific regulations!

Remember: Every security expert was once a beginner. Youโ€™re doing amazing! ๐ŸŽ‰

Keep practicing and youโ€™ll become a security master too! ๐Ÿ’ซ