- Posted on
- • Artificial Intelligence
Using Artificial Intelligence to Audit Linux Systems
- Author
-
-
- User
- linuxbash
- Posts by this author
- Posts by this author
-
Using Artificial Intelligence to Audit Linux Systems
If your servers churn out more logs than any human can read, you’re not alone. SSH brute-force attempts, privilege escalations, odd binaries appearing in /tmp: it’s all in there—buried under megabytes of noise. Artificial Intelligence (AI) won’t replace your hard-won Linux skills, but it can radically shrink “time to insight,” helping you prioritize real issues, explain risk, and suggest fixes—fast.
This article shows how to bolt AI onto a traditional Linux audit stack with Bash-friendly tooling you probably already use. You’ll get actionable scripts, real-world examples, and install commands for apt, dnf, and zypper.
Why use AI for Linux auditing?
Scale: Modern systems generate too much telemetry for manual triage. AI can summarize, rank, and cluster events.
Reasoning across formats: Auditd, journald, Lynis, and ad-hoc shell output don’t speak the same language. An LLM can.
Triage first, deep dive second: Let AI surface suspicious patterns and proposed fixes; you confirm and remediate.
Private by default: With local models (e.g., Ollama), you can keep data on-box and offline.
Caveat: AI can be wrong or overconfident. Keep a “trust, but verify” mindset, and never auto-execute its suggestions without review.
Prerequisites and installation
You’ll need a few standard tools for data collection and summarization. Use the commands appropriate for your distro.
auditd (system call and auth auditing)
- apt:
sudo apt update && sudo apt install -y auditd - dnf:
sudo dnf install -y audit - zypper:
sudo zypper install -y audit - Enable and start:
sudo systemctl enable --now auditd
- apt:
Lynis (security audit baseline)
- apt:
sudo apt install -y lynis - dnf:
sudo dnf install -y lynis - zypper:
sudo zypper install -y lynis
- apt:
jq (JSON processing)
- apt:
sudo apt install -y jq - dnf:
sudo dnf install -y jq - zypper:
sudo zypper install -y jq
- apt:
curl (HTTP client)
- apt:
sudo apt install -y curl - dnf:
sudo dnf install -y curl - zypper:
sudo zypper install -y curl
- apt:
git (for config drift tracking; optional but useful)
- apt:
sudo apt install -y git - dnf:
sudo dnf install -y git - zypper:
sudo zypper install -y git
- apt:
etckeeper (optional: version-control /etc)
- apt:
sudo apt install -y etckeeper - dnf:
sudo dnf install -y etckeeper - zypper:
sudo zypper install -y etckeeper - Initialize:
sudo etckeeper init && sudo etckeeper commit "Initial /etc baseline"
- apt:
Ollama (run a local LLM offline; choose a small model to start)
- Install (generic):
curl -fsSL https://ollama.com/install.sh | sh - Start service (if not already):
ollama serve(or via systemd, depending on install) - Pull a model (example):
ollama pull mistral - Quick test:
echo "Summarize: failed ssh logins from 10.0.0.5" | ollama run mistral
- Install (generic):
Note: If you prefer to use a cloud LLM via API, you can swap the ollama calls with your provider’s CLI or curl calls. For sensitive systems, prefer local inference.
Step 1: Collect better data (auditd rules you’ll actually use)
Start with focused audit rules for auth and suspicious exec patterns. Save as /etc/audit/rules.d/ai-audit.rules:
-w /etc/sudoers -p wa -k watched_sudoers
-w /etc/sudoers.d/ -p wa -k watched_sudoers
-a always,exit -F arch=b64 -S execve -k execve_calls
-a always,exit -F arch=b32 -S execve -k execve_calls
-w /var/log/secure -p r -k auth_logs
-w /var/log/auth.log -p r -k auth_logs
-w /usr/bin/sudo -p x -k sudo_exec
-w /bin/su -p x -k su_exec
-a always,exit -F arch=b64 -S sethostname,setdomainname -k net_changes
-a always,exit -F arch=b64 -S mount,umount2 -k mount_ops
Load and restart:
sudo augenrules --load
sudo systemctl restart auditd
sudo auditctl -l # verify loaded rules
Tip: Keep your ruleset tight to avoid drowning the AI in redundant noise.
Step 2: AI-assisted summarization and prioritization of recent events
The following Bash script extracts key events from auditd and journald, then asks an LLM to summarize top risks and suggest commands to investigate. Save it as ai-summarize-audit.sh and make it executable.
#!/usr/bin/env bash
set -euo pipefail
MODEL="${MODEL:-mistral}"
SINCE="${SINCE:-1 hour ago}"
# Collect signals (tweak as needed)
AUDIT_TXT="$(sudo ausearch -m USER_LOGIN,USER_AUTH,EXECVE,USER_ROLE_CHANGE,AVC -ts "${SINCE}" -i 2>/dev/null || true)"
JOURNAL_TXT="$(sudo journalctl -p warning --since "${SINCE}" --no-pager 2>/dev/null || true)"
SUDO_LOGS="$(sudo journalctl -u sudo --since "${SINCE}" --no-pager 2>/dev/null || true)"
NET_LISTEN="$(ss -lntup 2>/dev/null || true)"
# Optional redaction (IPs, hostnames). Comment out if you prefer full fidelity.
# AUDIT_TXT="$(echo "$AUDIT_TXT" | sed -E 's/[0-9]{1,3}(\.[0-9]{1,3}){3}/<IP>/g')"
PROMPT=$(cat <<'EOF'
You are a Linux security auditor. Summarize the most suspicious findings from the following data.
Output a compact, ranked list (max 10 items). For each item include:
- title
- why_it_matters (1–2 sentences)
- key_evidence (quote the most relevant line(s))
- verification_commands (bash one-liners I can run safely, read-only where possible)
- likely_severity (low/medium/high/critical)
Data sections:
=== AUDITD ===
EOF
)
PROMPT="${PROMPT}
${AUDIT_TXT}
=== JOURNAL ===
${JOURNAL_TXT}
=== SUDO ===
${SUDO_LOGS}
=== LISTENING_PORTS ===
${NET_LISTEN}
"
echo "Analyzing logs since: ${SINCE}" >&2
echo "$PROMPT" | ollama run "$MODEL"
Run it:
chmod +x ai-summarize-audit.sh
./ai-summarize-audit.sh
What you’ll get: a human-digestible, ranked list of findings—with context and safe investigation commands. Verify before acting.
Real-world example: Overnight, an engineer saw “SSH brute force” alerts but no prioritization. The script surfaced that all failures were from a single ASN hitting root, while a new binary with the suid bit appeared in /usr/local/bin. The AI ranked the suid issue higher, leading to a quick containment before exploring the SSH pattern.
Step 3: Turn a Lynis scan into a prioritized remediation plan
Lynis provides a great baseline, but the report can be long. Use AI to reduce it to an actionable top-10:
1) Run Lynis:
sudo lynis audit system --quick --auditor "AI-Pipeline"
2) Summarize the report:
REPORT="/var/log/lynis-report.dat"
cat <<'EOF' > ai-summarize-lynis.sh
#!/usr/bin/env bash
set -euo pipefail
MODEL="${MODEL:-mistral}"
REPORT="${1:-/var/log/lynis-report.dat}"
PROMPT=$(cat <<'P'
You are a Linux hardening expert. From the Lynis report below, produce:
- Top 10 prioritized remediations (title, rationale, exact commands or config changes)
- Group by theme (auth, kernel, filesystem, network)
- Call out quick wins vs. long-running tasks
- Note dependencies or potential service impact
P
)
printf "%s\n\n=== LYNIS REPORT START ===\n" "$PROMPT"
cat "$REPORT"
echo -e "\n=== LYNIS REPORT END ==="
EOF
chmod +x ai-summarize-lynis.sh
./ai-summarize-lynis.sh | ollama run mistral
This typically yields a tight checklist with commands (e.g., enabling ufw/firewalld rules, tightening sysctl, rotating keys, disabling unused services), plus notes about potential impact.
Step 4: Explain configuration drift in /etc with AI
Track changes and get plain-English explanations of what matters.
If you installed etckeeper earlier, commit before/after changes:
sudo etckeeper commit "pre-maintenance"
# ...make or detect changes...
sudo etckeeper commit "post-maintenance"
Now ask AI to explain risky diffs:
sudo etckeeper vcs status
sudo etckeeper vcs diff | ollama run mistral -p "You are a Linux security reviewer. Explain the risk of these /etc changes, list services affected, and suggest safe verification commands. Then prioritize."
Without etckeeper, you can do a quick one-off:
sudo git -C /etc init >/dev/null 2>&1 || true
sudo git -C /etc add -A
sudo git -C /etc commit -m "baseline" || true
# ... time passes ...
sudo git -C /etc diff | ollama run mistral -p "Review config drift for security impact and propose checks."
Step 5: A daily, offline AI audit job (cron-ready)
Bundle key checks into a single report. Save as /usr/local/bin/ai-daily-audit.sh:
#!/usr/bin/env bash
set -euo pipefail
MODEL="${MODEL:-mistral}"
NOW="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
OUTDIR="/var/log/ai-audit"
mkdir -p "$OUTDIR"
COLLECT=$(mktemp)
{
echo "=== DATE ==="
echo "$NOW"
echo "=== KERNEL ==="
uname -a
echo "=== UPTIME ==="
uptime
echo "=== RECENT AUTH FAILS (24h) ==="
sudo ausearch -m USER_AUTH,USER_LOGIN -ts "24 hours ago" -i 2>/dev/null | tail -n 500
echo "=== SUID/SGID (root fs) ==="
sudo find / -xdev -type f -perm /6000 -printf "%p %m %u:%g\n" 2>/dev/null | head -n 200
echo "=== CAPABILITIES ==="
sudo getcap -r / 2>/dev/null | head -n 200
echo "=== LISTENING PORTS ==="
ss -lntup 2>/dev/null | head -n 200
echo "=== NEW USERS/GROUPS (24h) ==="
sudo journalctl -g 'useradd\|groupadd' --since "24 hours ago" --no-pager 2>/dev/null
echo "=== HIGH SEVERITY LOGS (24h) ==="
sudo journalctl -p err --since "24 hours ago" --no-pager 2>/dev/null | tail -n 500
} > "$COLLECT"
PROMPT=$(cat <<'EOF'
You are a Linux security auditor. From the data below, produce a JSON report with:
- summary: string
- findings: array of objects:
- title
- severity (low/medium/high/critical)
- evidence (1-3 short lines)
- verification_commands (array of bash commands, read-only where possible)
- remediation (1-2 steps)
Return only JSON.
EOF
)
# Ask the model and store result
REPORT_JSON="$OUTDIR/audit-$NOW.json"
{
echo "$PROMPT"
echo
echo "=== DATA ==="
cat "$COLLECT"
} | ollama run "$MODEL" > "$REPORT_JSON"
echo "Wrote: $REPORT_JSON"
rm -f "$COLLECT"
Make it executable and schedule:
sudo chmod +x /usr/local/bin/ai-daily-audit.sh
sudo bash -c '(crontab -l 2>/dev/null; echo "15 3 * * * MODEL=mistral /usr/local/bin/ai-daily-audit.sh") | crontab -'
Now you have a nightly JSON report highlighting top issues and how to verify them—without shipping logs off the box.
Safety, privacy, and accuracy tips
Prefer local models for sensitive logs. If you must use cloud APIs, redact first.
Log all prompts and outputs. Store alongside your audit artifacts for traceability.
Don’t auto-remediate. Always validate AI-suggested commands.
Tune the prompt: Ask for verification commands that don’t modify state first.
Start small: Limit data volume. Aim for signal, not firehose.
Conclusion and next steps
AI won’t magically secure your servers, but it can turn a pile of raw events into a prioritized to-do list with context in minutes. Start with the scripts above on a non-production box, tune your auditd rules, and iterate on prompts until the output consistently saves you time.
Call to action:
Wire up Step 2 and Step 5, then review the next day’s JSON report.
Run a Lynis scan and generate a top-10 remediation plan.
Share your best prompts and wins with your team; standardize the workflow.
If you want a follow-up, ask for:
A hardened, systemd-managed service unit for the daily AI audit
A redaction filter that removes tokens, keys, and IPs before analysis
A dashboard that visualizes daily AI-audit JSONs over time
Happy auditing—and may your logs be ever more readable.