Abstract
Abstract
You already run your local LLM for
example OpenWebUI or AnythingLLM and you would
like to audit your system for security breaches. Learn how
to leverage LLMs for automated Linux System Auditing. This tutorial
covers importing /var/log data into an AI
workspace and using targeted queries to detect security breaches,
verify system integrity, and generate executive-level audit
summaries.
Turns out, feeding ten years of /var/log/ into an LLM is a massive
data-cleansing headache but the RAG results are incredible. I've
essentially built a security advisor that has the 'memory' of my
entire server history. It's time to conduct a regular Linux
Security Breach Audit using your LLM. Here is how I did it.
Overview of Steps involved
Generate Security Staging Area of your /var/log for the LLM:
Switch to admin (root) : su -
Create staging area dir : DIR="$(date +%Y%m%d_%H%M)_security-audit" && mkdir -p ~/$DIR && cd ~/$DIR
Clone logs into staging : cp -r /var/log/* .
Pre-Check (count files) : find . -type f | wc -l
Move files to root dir : find . -mindepth 2 -type f -exec mv --backup=numbered {} . \;
Remove dotfiles : find . -mindepth 1 -name ".*" -exec rm -rf {} +
Remove empty dirs : find . -mindepth 1 -type d -empty -delete
Remove zero byte files : find . -type f -size 0 -delete
Remove tmp files : find . -type f -name "*~*" -delete
Remove redundant files : find . -name "*\([0-9]*" -exec rm -f {} \;
Remove job control files: find . -name "nohup.out" -exec rm -f {} \;
Unzip all .gz files : gunzip -f *.gz
Show broken links : find . -xtype l
rm broken links : find . -xtype l -delete
Generate ASCII journal : journalctl > alljournal.txt
Find binary data : find . -type f -exec file {} + | grep -v "text"
rm binary data : find . -type f -exec file {} + | grep -v "text" | cut -d: -f1 | xargs rm
rm binary journal files : rm *.journal
Add .txt extension : for f in *; do mv "$f" "$f.txt"; done
Post-Check (count files): find . -type f | wc -l
Create a workspace and set the model parameters
Create a new workspace in your LLM, name it accordingly e.g.
"<HOSTNAME> Security Audit from <DATE>". Set
Model Parameters of the workspace to e.g. "Act as a system
security advisor". Also set the other parameters such as e.g. the
capabilities and features of the workspace. For example, get rid
of the image genertion and OCR capabilities in order to keep your
model lean.
Start RAG Ingestion (ETL)
Lauch the data import of the staging area (RAG ingestion) into
your workspace, this may take a while, without GPU a couple of
minutes to hours.
Query your LLM (examples)
Query: "Analyze auth.log or secure logs for an unusual volume of
'Failed password' or 'Invalid user' attempts. Group them by source
IP address and identify any IPs that have more than 20 failures.
Are there any successful logins immediately following a series of
failures from the same IP?"
Query: "Scan the logs for sudo command usage. Identify any
users who attempted to run commands as root but were denied ('not
in the sudoers list'). Also, highlight any successful sudo
sessions that occurred at unusual hours (e.g., between 12 AM and 5
AM)."
Query: "Review the access.log for HTTP status codes
in the 400-500 range. Specifically, look for 'Directory Traversal'
attempts (e.g., strings like ../ or /etc/passwd)
or unusual POST requests to non-existent scripts. Are there any
suspicious outbound connection attempts recorded in the system
logs?"
/var/log data, generate a 3-5
sentence Security Breach Audit Summary. Identify any confirmed
indicators of compromise (IoCs), categorize the severity of found
anomalies (Low, Medium, High), and state whether the system's
integrity appears intact or compromised. Conclude with a 'Pass' or
'Fail' assessment regarding current unauthorized access
attempts."
$Id: linux-llm-security-audit.html,v 1.7 2026/02/27 08:01:37 gloor Exp $ |