auditd on an Anubiz Offshore VPS
auditd is the Linux kernel auditing subsystem. It captures syscalls and file accesses based on rules and writes to /var/log/audit. On an Anubiz VPS it answers who changed what when, which is essential for incident response. This guide deploys a sensible rule set, rotates logs, and optionally ships to a central log host.
Need this done for your project?
We implement, you ship. Async, documented, done in days.
Step 1: Install
apt install auditd audispd-plugins.
Step 2: Rules
/etc/audit/rules.d/anubiz.rules: watch /etc/passwd /etc/shadow /etc/sudoers, audit syscalls execve for users with uid >= 1000, watch /etc/ssh, watch /etc/nftables.conf, watch /var/log/wtmp.
Step 3: Restart
augenrules --load then systemctl restart auditd. auditctl -l shows loaded rules.
Step 4: Rotation and Retention
In /etc/audit/auditd.conf: max_log_file = 50, num_logs = 10, max_log_file_action = ROTATE. 30 day retention for hobby; 90+ for compliance.
Step 5: Shipping
audisp-remote ships to a central host. Or use Vector/Filebeat to read /var/log/audit/audit.log and forward. Off-host is the only credible audit log.
Related Services
Why Anubiz Host
Ready to get started?
Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.