Master Linux Intrusion Detection & Incident Response: A Practical Hands‑On Guide

Overview

Production environments cannot rely solely on perimeter firewalls. Once an attacker bypasses the outer defense, lateral movement, privilege escalation, and backdoor installation can occur on the host. Host‑level detection is required to discover these activities before business impact.

Network layer (NIDS) – traffic analysis (e.g., Suricata, Snort). Effective for known signatures but blind to encrypted traffic.

Host layer (HIDS) – runs on the endpoint, monitors file changes, process behavior, and user actions. The last line of defense.

Application layer – WAF, RASP – focuses on web‑application attacks.

Core capabilities of host‑based intrusion detection include file‑integrity checking, rootkit scanning, log auditing, process monitoring, and network‑connection anomaly detection.

Common attack vectors: SSH brute‑force, web vulnerabilities (RCE, file upload, deserialization), kernel exploits or SUID privilege escalation, cron/systemd persistence, and cryptomining malware.

HIDS Tool Comparison

AIDE – File integrity: strong; Rootkit detection: none; Real‑time monitoring: no (periodic); Central management: none; Deployment complexity: low.

Tripwire – File integrity: strong; Rootkit detection: none; Real‑time monitoring: no; Central management: commercial support; Deployment complexity: medium.

OSSEC – File integrity: medium; Rootkit detection: yes; Real‑time monitoring: yes; Central management: client‑server architecture; Deployment complexity: medium.

Wazuh – File integrity: strong; Rootkit detection: yes; Real‑time monitoring: yes; Central management: ELK integration; Deployment complexity: high.

rkhunter – File integrity: none; Rootkit detection: strong; Real‑time monitoring: no; Central management: none; Deployment complexity: low.

In practice a single tool cannot cover all scenarios. A recommended combination is AIDE for baseline file integrity, rkhunter for periodic rootkit scans, auditd for kernel‑level audit, and ClamAV for malware detection.

Technical Features of Selected Tools

AIDE – Database‑based integrity checking, multiple hash algorithms, low resource usage.

rkhunter – Focuses on rootkit, backdoor, and local vulnerability detection; maintains a signature database.

auditd – Userspace daemon for the Linux kernel audit subsystem; records system‑call level events; satisfies compliance requirements such as PCI‑DSS.

ClamAV – Open‑source antivirus engine, community‑maintained signatures; supports command‑line scanning and daemon mode.

Applicable Scenarios

Compliance audits (e.g., Level‑2+ security standards) – auditd + AIDE meet technical checkpoints.

Security baseline verification before new server deployment.

Incident response – systematic investigation and toolchain.

Routine security patrol – automated scans to detect configuration drift and anomalies.

Environment Requirements

Operating System – Ubuntu 22.04 LTS or CentOS 8+ (Ubuntu 22.04 recommended).

AIDE – version 0.18.x (distribution package).

rkhunter – version 1.4.x (update signature database after installation).

auditd – version 3.x (kernel 4.x+ required for full audit features).

ClamAV – version 1.x (keep virus database up‑to‑date with freshclam).

Disk space – ≥10 GB for audit logs; configure log rotation to avoid exhaustion.

Detailed Steps

File Integrity Checking (AIDE)

Installation and Initialization

# Ubuntu/Debian
sudo apt update && sudo apt install -y aide

# CentOS/RHEL
sudo dnf install -y aide

AIDE Configuration File

# /etc/aide/aide.conf – main configuration
# Database locations
database_in=file:/var/lib/aide/aide.db          # read‑only baseline
database_out=file:/var/lib/aide/aide.db.new      # new database after scan
database_new=file:/var/lib/aide/aide.db.new      # written by --update

# Log output
report_url=file:/var/log/aide/aide.log
report_url=stdout

# Rule groups (example)
BINLIB = p+i+n+u+g+s+b+m+c+sha256+sha512
CONFFILE = p+i+n+u+g+s+sha256
LOGFILE = p+u+g
DATAONLY = p+u+g+sha256

# Monitored directories
/bin        BINLIB
/sbin       BINLIB
/usr/bin    BINLIB
/usr/sbin   BINLIB
/usr/lib    BINLIB
/etc        CONFFILE
/boot       BINLIB
/lib/modules BINLIB

# Exclusions to reduce false positives
!/var/log
!/var/spool
!/var/cache
!/var/tmp
!/tmp
!/run
!/proc
!/sys
!/dev
!/var/lib/dpkg
!/var/lib/apt
!/var/lib/rpm

Baseline Generation and Secure Storage

# Initialize baseline (first run, time depends on monitored directories)
sudo aide --init

# Promote the new database to the active baseline
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

# Store the baseline on read‑only media or a remote server
sudo cp /var/lib/aide/aide.db /mnt/readonly-backup/aide.db.$(date +%Y%m%d)

Periodic Checks and Baseline Updates

# Run integrity check against the baseline
sudo aide --check

# Interpretation of output (f=file, d=directory, l=symlink)
# added – new file, removed – missing file, changed – attribute change

# After legitimate changes (e.g., patches) update the baseline
sudo aide --update
sudo cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Schedule daily checks via cron:

# /etc/cron.d/aide-check
0 3 * * * root /usr/bin/aide --check | mail -s "AIDE Report $(hostname) $(date +%F)" [email protected]

Rootkit Detection (rkhunter + chkrootkit)

rkhunter Installation and Configuration

# Install
sudo apt install -y rkhunter

# Update signatures and file properties immediately after install
sudo rkhunter --update
sudo rkhunter --propupd

# Key configuration in /etc/rkhunter.conf
UPDATE_MIRRORS=1
MIRRORS_MODE=0
WEB_CMD=""
[email protected]
MAIL_CMD="mail -s \"[rkhunter] {subject}\" {recipient}"
ALLOW_SSH_ROOT_USER=no
ALLOW_SSH_PROT_V1=0
SCRIPTWHITELIST=/usr/bin/egrep
SCRIPTWHITELIST=/usr/bin/fgrep
SCRIPTWHITELIST=/usr/bin/which
SCRIPTWHITELIST=/usr/bin/ldd
ALLOWHIDDENDIR=/etc/.java
ALLOWHIDDENDIR=/dev/.udev
ALLOWDEVFILE=/dev/shm/pulse-shm-*
ALLOWDEVFILE=/dev/shm/PostgreSQL.*
PKGMGR=DPKG   # Debian/Ubuntu uses DPKG, CentOS uses RPM

Scan Execution and Report Interpretation

# Full interactive scan (press Enter to skip each stage)
sudo rkhunter --check

# Non‑interactive mode for cron jobs
sudo rkhunter --check --skip-keypress --report-warnings-only

# View the log
sudo cat /var/log/rkhunter.log

# Log entry prefixes:
# [Found] – suspicious item requiring manual verification
# [Warning] – possible false positive or real threat
# [OK] – check passed
# [Not found] – signature not present

chkrootkit Cross‑Verification

# Install
sudo apt install -y chkrootkit

# Run scan
sudo chkrootkit

# Quiet mode (only suspicious output)
sudo chkrootkit -q

# rkhunter uses signature matching + file‑attribute checks; chkrootkit uses string patterns and command‑output analysis. Using both reduces false negatives.

System Audit Framework (auditd)

Architecture

auditd is the userspace component of the Linux kernel audit subsystem. The kernel inserts hooks at system‑call entry/exit points; based on user‑defined rules it records the operation. Events are sent via a netlink socket to auditd, which writes them to log files. auditd – daemon that receives events and writes logs. auditctl – runtime tool to add, delete, or view rules. ausearch – search utility for audit logs. aureport – generates summary reports. audisp‑remote – forwards audit logs to a remote collector.

# Install
sudo apt install -y auditd audispd-plugins

# Enable and start at boot
sudo systemctl enable --now auditd

Enterprise‑grade Audit Rules

# /etc/audit/rules.d/security.rules – example rule set
# Global settings
-b 8192                # audit buffer size
-f 1                  # failure action: 1=printk, 2=panic
-c                     # ignore errors and continue

# Time changes (prevent attackers from hiding traces)
-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time_change
-w /etc/localtime -p wa -k time_change

# Identity changes
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-w /usr/sbin/useradd -p x -k user_mgmt
-w /usr/sbin/userdel -p x -k user_mgmt
-w /usr/sbin/usermod -p x -k user_mgmt
-w /usr/sbin/groupadd -p x -k user_mgmt
-w /usr/sbin/groupdel -p x -k user_mgmt

# Privilege escalation
-w /etc/sudoers -p wa -k priv_esc
-w /etc/sudoers.d/ -p wa -k priv_esc
-w /usr/bin/sudo -p x -k priv_esc
-w /usr/bin/su -p x -k priv_esc
-a always,exit -F arch=b64 -S setuid,setgid,setreuid,setregid,seteuid,setegid -F auid>=1000 -F auid!=4294967295 -k priv_esc

# Network configuration changes
-w /etc/hosts -p wa -k net_config
-w /etc/hostname -p wa -k net_config
-w /etc/resolv.conf -p wa -k net_config
-w /etc/network/ -p wa -k net_config
-w /etc/netplan/ -p wa -k net_config
-a always,exit -F arch=b64 -S sethostname,setdomainname -k net_config

# SSH and authentication
-w /etc/ssh/sshd_config -p wa -k sshd_config
-w /etc/pam.d/ -p wa -k pam_mod
-w /etc/security/limits.conf -p wa -k security_limits
-w /var/log/faillog -p wa -k login_events
-w /var/log/lastlog -p wa -k login_events

# Scheduled tasks (persistence)
-w /etc/crontab -p wa -k cron_persist
-w /etc/cron.d/ -p wa -k cron_persist
-w /etc/cron.daily/ -p wa -k cron_persist
-w /etc/cron.hourly/ -p wa -k cron_persist
-w /etc/cron.weekly/ -p wa -k cron_persist
-w /etc/cron.monthly/ -p wa -k cron_persist
-w /var/spool/cron/ -p wa -k cron_persist
-w /etc/systemd/system/ -p wa -k systemd_persist
-w /usr/lib/systemd/system/ -p wa -k systemd_persist

# Kernel modules
-w /sbin/insmod -p x -k kernel_module
-w /sbin/rmmod -p x -k kernel_module
-w /sbin/modprobe -p x -k kernel_module
-a always,exit -F arch=b64 -S init_module,finit_module,delete_module -k kernel_module

# File deletion (anti‑anti‑forensics)
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -k file_delete

# Temporary‑directory execution monitoring
-a always,exit -F arch=b64 -S execve -F dir=/tmp -k exec_from_tmp
-a always,exit -F arch=b64 -S execve -F dir=/var/tmp -k exec_from_tmp
-a always,exit -F arch=b64 -S execve -F dir=/dev/shm -k exec_from_tmp

# Lock the rule set (must be last)
-e 2

Loading Rules

# Load all rules and verify
sudo augenrules --load && sudo auditctl -l

Emergency Response Process

Six‑Step Response Methodology

Preparation – toolchain ready, response playbook defined, contact list maintained.

Identification – confirm that a security event occurred and assess impact.

Containment – stop attack spread – short‑term (network isolation, block IP) and long‑term (patch vulnerable service).

Eradication – remove all backdoors, malicious files, and unauthorized accounts.

Recovery – restore from trusted backups and gradually bring services back online.

Lessons Learned – post‑mortem analysis, improve defenses, update the response plan.

Initial Response Checklist

# System information
uname -a
cat /etc/os-release
uptime
date
timedatectl

# User account audit
awk -F: '$3==0 {print $1}' /etc/passwd               # UID 0 non‑root users
awk -F: '($2==""||$2=="!") {print $1}' /etc/shadow   # Empty passwords
last -30 | head -50                                 # Recent logins
lastb -30 | head -30 || echo "no lastb records"   # Failed logins

# Process audit
ps auxf                                            # Process tree
ls -la /proc/*/exe 2>/dev/null | grep "(deleted)" || echo "none"
ps aux --sort=-%cpu | head -20                      # High‑CPU processes

# Network audit
ss -tulnp                                           # Listening sockets
ss -tnp state established                           # Established connections
iptables -L -n -v --line-numbers

# File changes (last 3 days, exclude logs and caches)
find / -mtime -3 -type f \( ! -path "/var/log/*" ! -path "/var/cache/*" ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" \) 2>/dev/null

# SUID/SGID binaries
find / -perm -4000 -type f 2>/dev/null | wc -l   # SUID count
find / -perm -2000 -type f 2>/dev/null | wc -l   # SGID count

# Cron jobs (system and per‑user)
cat /etc/crontab
ls -la /etc/cron.d/
for user in $(cut -d: -f1 /etc/passwd); do crontab -l -u "$user" 2>/dev/null && echo "--- $user ---"; done
systemctl list-timers --all

# Kernel modules
lsmod | grep -i suspicious

Automation Scripts

Comprehensive Security Audit Script (security_audit.sh)

#!/bin/bash
set -euo pipefail

REPORT_DIR="/tmp/security_audit_$(hostname)_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$REPORT_DIR"

log(){
  echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$REPORT_DIR/audit.log"
}

log "===== Security Audit Start ====="
log "Hostname: $(hostname)"
log "IP: $(hostname -I | awk '{print $1}')"
log "OS: $(grep PRETTY_NAME /etc/os-release | cut -d'=' -f2 | tr -d '"')"
log "Kernel: $(uname -r)"
log "Report directory: $REPORT_DIR"

# 1. User accounts
log "--- User Account Info ---"
{
  echo "=== UID=0 users (should only be root) ==="
  awk -F: '$3==0 {print $1}' /etc/passwd
  echo -e "
=== Login capable users ==="
  grep -vE "nologin|false|/bin/sync|/bin/halt|/bin/shutdown" /etc/passwd
  echo -e "
=== Empty password users ==="
  awk -F: '($2==""||$2=="!") {print $1}' /etc/shadow 2>/dev/null || echo "cannot read shadow file"
  echo -e "
=== Recent logins (30 days) ==="
  last -30 | head -50
  echo -e "
=== Failed logins (30 days) ==="
  lastb 2>/dev/null | head -30 || echo "no lastb records"
} > "$REPORT_DIR/01_users.txt"

# 2. Processes
log "--- Process Info ---"
{
  echo "=== Process Tree ==="
  ps auxf
  echo -e "
=== Deleted but running processes ==="
  ls -la /proc/*/exe 2>/dev/null | grep "(deleted)" || echo "none"
  echo -e "
=== Top CPU consumers ==="
  ps aux --sort=-%cpu | head -21
} > "$REPORT_DIR/02_processes.txt"

# 3. Network
log "--- Network Info ---"
{
  echo "=== Listening sockets ==="
  ss -tulnp
  echo -e "
=== Established connections ==="
  ss -tnp state established
  echo -e "
=== Routing table ==="
  ip route
  echo -e "
=== DNS configuration ==="
  cat /etc/resolv.conf
} > "$REPORT_DIR/03_network.txt"

# 4. Cron jobs
log "--- Cron Jobs ---"
{
  echo "=== System crontab ==="
  cat /etc/crontab 2>/dev/null
  echo -e "
=== /etc/cron.d/ ==="
  ls -la /etc/cron.d/ 2>/dev/null
  for user in $(cut -d: -f1 /etc/passwd); do
    crontab -l -u "$user" 2>/dev/null && echo "--- $user ---"
  done
  echo -e "
=== systemd timers ==="
  systemctl list-timers --all --no-pager
} > "$REPORT_DIR/04_crontabs.txt"

# 5. SUID/SGID
log "--- SUID/SGID Scan ---"
{
  echo "=== SUID files ==="
  find / -perm -4000 -type f 2>/dev/null
  echo -e "
=== SGID files ==="
  find / -perm -2000 -type f 2>/dev/null
} > "$REPORT_DIR/05_suid_sgid.txt"

# 6. Recent files (last 3 days)
log "--- Recent Files (3 days) ---"
find / -mtime -3 -type f \( ! -path "/var/log/*" ! -path "/var/cache/*" ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" \) 2>/dev/null > "$REPORT_DIR/06_recent_files.txt"

log "===== Audit Complete, report stored at $REPORT_DIR ====="

tar czf "$REPORT_DIR.tar.gz" -C /tmp "$(basename $REPORT_DIR)"
log "Report archived: $REPORT_DIR.tar.gz"

Intrusion Trace Detection Script (intrusion_detect.sh)

#!/bin/bash
set -euo pipefail

REPORT_DIR="/mnt/usb/evidence/$(hostname)_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$REPORT_DIR"

# 1. Memory and process snapshot
cp /proc/meminfo "$REPORT_DIR/meminfo.txt"
ps auxf > "$REPORT_DIR/ps_full.txt"
cat /proc/net/tcp > "$REPORT_DIR/proc_net_tcp.txt"
ss -tnp > "$REPORT_DIR/ss_connections.txt"

# 2. User and login data
last -aiF > "$REPORT_DIR/last_logins.txt"
lastlog > "$REPORT_DIR/lastlog.txt"
cat /etc/passwd > "$REPORT_DIR/passwd.txt"

# 3. Cron jobs per user
for user in $(cut -d: -f1 /etc/passwd); do
  crontab -l -u "$user" 2>/dev/null > "$REPORT_DIR/crontab_${user}.txt" || true
done

# 4. SUID/SGID inventory
find / -perm -4000 -type f 2>/dev/null > "$REPORT_DIR/suid.txt"
find / -perm -2000 -type f 2>/dev/null > "$REPORT_DIR/sgid.txt"

# 5. Compute SHA256 hashes for integrity verification
find "$REPORT_DIR" -type f -exec sha256sum {} \; > "$REPORT_DIR/checksums.sha256"

echo "Forensic data collected at $REPORT_DIR"

Best Practices and Caveats

Security Baseline Construction

#!/bin/bash
set -euo pipefail
# Minimal installation – remove unnecessary packages
dpkg --list | grep '^ii' | awk '{print $2}' > /tmp/installed_packages.txt
sudo apt purge -y telnetd rsh-server xinetd
# Disable unneeded services
for svc in avahi-daemon cups bluetooth; do
  sudo systemctl stop "$svc" 2>/dev/null || true
  sudo systemctl disable "$svc" 2>/dev/null || true
  sudo systemctl mask "$svc" 2>/dev/null || true
done
# SUID/SGID cleanup – audit then remove if unnecessary
find / -perm -4000 -type f -exec ls -la {} \; > /tmp/suid_sgid_audit.txt
# Example: remove unnecessary SUID bits
sudo chmod u-s /usr/bin/newgrp
sudo chmod u-s /usr/sbin/pppd

Log Centralization

# /etc/rsyslog.d/50-remote.conf
*.* @@logserver.internal:514

# Local queue to prevent loss on network outage
$ActionQueueType LinkedList
$ActionQueueFileName remote_fwd
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on

Set the append‑only attribute on critical logs to make them tamper‑evident:

sudo chattr +a /var/log/auth.log
sudo chattr +a /var/log/syslog

Deep Defense Model

┌─────────────────────────────────────────────┐
│  Network layer: iptables/nftables + Suricata │
│  ┌─────────────────────────────────────┐ │
│  │  Host layer: auditd + AIDE + rkhunter │ │
│  │  ┌─────────────────────────────────┐│ │
│  │  │  Application layer: WAF + RASP   │││
│  │  │  ┌─────────────────────────────┐│││
│  │  │  │  Data layer: encryption + ACL ││││
│  │  │  └─────────────────────────────┘│││
│  │  └─────────────────────────────────┘│ │
│  └─────────────────────────────────────┘ │
└─────────────────────────────────────────────┘

Automated Response with Wazuh

#!/bin/bash
set -euo pipefail
LOCAL=$(dirname "$0")
LOCK="$LOCAL/fw-drop"
LOCK_PID="$LOCK/pid"
ACTION=$1
IP=$3

if [[ "x${ACTION}" == "xadd" ]]; then
  iptables -I INPUT -s "$IP" -j DROP
  echo "$(date '+%Y-%m-%d %H:%M:%S') BLOCKED $IP" >> /var/log/active-response.log
elif [[ "x${ACTION}" == "xdelete" ]]; then
  iptables -D INPUT -s "$IP" -j DROP
  echo "$(date '+%Y-%m-%d %H:%M:%S') UNBLOCKED $IP" >> /var/log/active-response.log
fi

Alert Levels and Escalation

P3‑Low – single SSH failure, port scan – log only, no alert, daily summary.

P2‑Medium – ≥10 SSH failures within 5 min – auto‑block IP for 1 h – notification via enterprise chat.

P1‑High – SUID change, new crontab entry – block + isolate host network – phone alert + ticket.

P0‑Critical – rootkit detection, kernel module load – immediate isolation, preserve evidence – phone + SMS + emergency playbook.

Monitoring and Metrics

Key Security Indicators

SSH failed logins per hour.

SUID file count changes.

Outbound connections to non‑standard ports.

CPU usage of top processes (detect mining).

Executable files in /tmp, /var/tmp, /dev/shm.

New crontab entries.

Kernel module count changes.

Prometheus Security Metrics Collector

# /var/lib/prometheus/node-exporter/security_metrics.prom
ssh_failures=$(journalctl -u sshd --since "5 min ago" --no-pager 2>/dev/null | grep -c "Failed password" || echo 0)
echo "security_ssh_failed_logins_5m $ssh_failures" > /var/lib/prometheus/node-exporter/security_metrics.tmp

suid_count=$(find / -perm -4000 -type f 2>/dev/null | wc -l)
echo "security_suid_file_count $suid_count" >> /var/lib/prometheus/node-exporter/security_metrics.tmp

abnormal_conn=$(ss -tnp state established 2>/dev/null | awk '{print $5}' | grep -v -E ":(80|443|53|123|514)$" | wc -l)
echo "security_abnormal_outbound_connections $abnormal_conn" >> /var/lib/prometheus/node-exporter/security_metrics.tmp

tmp_exec=$(find /tmp /var/tmp /dev/shm -type f -executable 2>/dev/null | wc -l)
echo "security_tmp_executable_count $tmp_exec" >> /var/lib/prometheus/node-exporter/security_metrics.tmp

mv /var/lib/prometheus/node-exporter/security_metrics.tmp /var/lib/prometheus/node-exporter/security_metrics.prom

Corresponding Prometheus alert rules (e.g., security_alerts.yml) monitor these metrics and fire warnings at appropriate severities.

Backup, Forensics, and Recovery

Disk Imaging for Forensics

# Offline full‑disk image (dd)
SOURCE_DISK="/dev/sda"
IMAGE_DIR="/mnt/forensic"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
IMAGE_FILE="${IMAGE_DIR}/disk_image_${TIMESTAMP}.raw"

sudo dd if="$SOURCE_DISK" of="$IMAGE_FILE" bs=4M conv=noerror,sync status=progress
sha256sum "$IMAGE_FILE" > "${IMAGE_FILE}.sha256"

echo "Image created: $IMAGE_FILE"
echo "SHA256: $(cat ${IMAGE_FILE}.sha256)"

# LVM snapshot (online, minimal impact)
sudo lvcreate -L 10G -s -n forensic_snap /dev/vg0/root
sudo mount -o ro /dev/vg0/forensic_snap /mnt/snapshot
# After analysis, remove snapshot
# sudo lvremove /dev/vg0/forensic_snap

Post‑Infection Recovery Workflow

Impact Assessment – identify compromised hosts, data exposure, attacker foothold, and persistence mechanisms.

Containment – network isolation, preserve volatile evidence, freeze compromised credentials.

Eradication – delete malicious files, clean persistence (crontab, systemd units, rc.local, authorized_keys), verify system binaries against trusted hashes, unload malicious kernel modules.

Vulnerability Remediation – patch exploited CVEs, disable unnecessary services/ports, harden configurations (strong passwords, MFA).

System Re‑build – for severe breaches, reinstall from a trusted image; restore business data from clean backups; redeploy applications without copying binaries from the compromised host.

Security Hardening – deploy HIDS stack (AIDE, auditd, rkhunter/Wazuh), enable remote log aggregation, implement network segmentation, rotate all credentials (SSH keys, DB passwords, API tokens).

Post‑mortem – write incident report (timeline, root cause, lessons learned), update response playbooks, conduct security awareness training.

Summary

Key Takeaways

File integrity (AIDE) + rootkit scanning (rkhunter/chkrootkit) + kernel audit (auditd) form a robust host‑based detection trio.

Logs are the lifeline of incident investigation; forward them in real time and protect them with append‑only attributes.

Follow the “collect volatile data first, then preserve” principle during response to avoid loss of critical evidence.

Depth‑in‑defense assumes each layer may be breached; combine network, host, application, and data protections.

Automation (Wazuh + ELK + custom active‑response scripts) shortens MTTR and creates a closed‑loop detection‑containment workflow.

Further Learning Paths

Wazuh Enterprise HIDS Platform – integrates AIDE, OSSEC rules, vulnerability scanning, and compliance checks; deep ELK visualization.

eBPF Real‑time Detection – explore Falco (CNCF) for syscall‑level threat detection and Tetragon for kernel‑level enforcement.

MITRE ATT&CK Mapping – map detection rules to ATT&CK tactics/techniques to measure coverage and identify gaps.

References

CIS Benchmarks – OS hardening standards.

AIDE official manual.

Linux Audit System documentation (Red Hat).

RFC 3227 – Digital forensics evidence collection guidelines.

Wazuh documentation – open‑source HIDS deployment.