Week 2: Monitoring Endpoints with HIDS & Auditd

Aayush AcharyaAayush Acharya
3 min read

Table of contents

πŸ”‘ Key Topics Covered

This week was all about endpoint monitoring β€” the practice of observing activity on individual systems to detect intrusions, vulnerabilities, or anomalies.

In our lecture, we explored:

  • The role of Host Intrusion Detection Systems (HIDS) vs. HIPS (Intrusion Prevention Systems)

  • How to read and interpret Windows and Linux event logs

  • The structure and use of logs like /var/log/syslog, /var/log/auth.log, and Windows Event Viewer

  • Vulnerability scanning concepts and the use of CVEs

  • How HIDS tools (like Wazuh and Auditd) collect, analyze, and alert on abnormal activity

We also discussed how tools like Splunk and Snort (coming up in later weeks) tie into larger enterprise endpoint and network monitoring.

πŸ› οΈ Tools Practiced

  • Auditd (Linux Audit Daemon)

  • ausearch (log filtering)

  • Vim (file editing and rule writing)

  • Linux terminal navigation

  • System-level log exploration using tail, dmesg, and manual inspection

πŸ’» Lab Activity β€” Oops!...I Audit Again

This lab focused on setting up and using Auditd to monitor file modifications on a Linux machine.

Here’s what I did:

1️⃣ Installed and verified Auditd on my VM.
2️⃣ Created and edited a test file (unit2_lab.txt) using Vim.
3️⃣ Wrote custom audit rules to watch for write (-p w) changes to the file.
4️⃣ Filtered logs using ausearch -k unit2_lab_changes to track file edits and system activity tied to those changes.

πŸ” I was able to trace exactly which command modified the file (vim.basic) and confirm the system events using my custom filter key. This hands-on practice made it clear how powerful and customizable host-based monitoring can be.

βœ… Key Outcome: I learned to build and test rules for real-time file monitoring β€” a foundational Blue Team skill.

πŸš€ Weekly Project β€” Let’s wget This Bread

In this project, I used my Auditd setup to monitor a protected directory and detect attacks launched through provided scripts.

🧩 My workflow:

  • Configured write-watch rules for files in /protected_files

  • Executed three attack scripts (attack-a, attack-b, attack-c) that modified unknown files

  • Used ausearch with filter keys to analyze logs and map each attack to the file it altered

βœ… Goal achieved: Successfully identified the modified files and matched them with the correct attack β€” showcasing how forensic tools can pinpoint malicious behavior.

πŸ’‘ Key Takeaways

  • Auditd is a powerful HIDS tool for monitoring Linux systems at the host level.

  • Understanding log structure (especially filtering with ausearch) is critical for real-world investigations.

  • Knowing how to use Vim and sudo is essential when working on system-level files in Linux.

  • Detection and attribution of file modifications are foundational steps toward responding to host-level attacks.

πŸ€” Reflection

Week 2 built on the foundations of network-level defense by taking the battle to the host level. It felt like stepping into the shoes of a SOC analyst β€” configuring monitoring, triggering events, and interpreting logs to uncover what really happened under the hood. I’m starting to understand how Blue Team defenders build layered visibility across the system.

πŸ“’ Next Week

We will explore Snort, a powerful Network Intrusion Detection System (NIDS), and use it to monitor live network traffic and detect malicious behavior in real time!

0
Subscribe to my newsletter

Read articles from Aayush Acharya directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#cybersecuritySecuritylearningLearning JourneycodingCodePathblueteam

Written by

Aayush Acharya
Aayush Acharya

πŸ’» CS and Math Major at Elmhurst University β€” Rising Senior πŸš€ Aspiring Software Engineer & Cybersecurity Specialist πŸ“Š Passionate about Math πŸ“ Plays Ping Pong, 🏏 Cricket, 🎾 Tennis ✨ Always learning, always growing!