ggp1/internal/skills/catalog/auditctl
internal/skills/catalog/auditctl/SKILL.md
# auditctl — Linux Audit Rule Management ## Category Log Analysis ## License GPLv2 (audit) ## Source https://github.com/linux-audit/audit-userspace (Linux Audit Framework) ## Purpose Configure the Linux Audit Framework rules at runtime. Companion to `ausearch`/`aureport` — `auditctl` defines *what* to audit, while `ausearch` queries the results. ## Use Cases - Add audit rules to monitor access to sensitive files (shadow, passwd, SSH keys) - Watch for privilege escalation syscalls (execve, s
development
Updated Apr 21, 2026
$ install --global
skillsauthnpx skillsauth add ggp1/mitiga internal/skills/catalog/auditctlInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 21, 2026, 7:02 PM131.0s1 file scanned
SKILL.md
auditctl — Linux Audit Rule Management
Category
Log Analysis
License
GPLv2 (audit)
Source
https://github.com/linux-audit/audit-userspace (Linux Audit Framework)
Purpose
Configure the Linux Audit Framework rules at runtime. Companion to ausearch/aureport — auditctl defines what to audit, while ausearch queries the results.
Use Cases
- Add audit rules to monitor access to sensitive files (shadow, passwd, SSH keys)
- Watch for privilege escalation syscalls (execve, setuid, setgid)
- Monitor modifications to critical configuration directories
- List current audit rules to verify coverage
- Temporarily add rules during active incident investigation
Examples
# List all current audit rules
auditctl -l
# Watch for modifications to /etc/passwd
auditctl -w /etc/passwd -p wa -k passwd_changes
# Watch for modifications to SSH configuration
auditctl -w /etc/ssh/sshd_config -p wa -k sshd_config
# Monitor execve syscalls (process execution)
auditctl -a always,exit -F arch=b64 -S execve -k exec_monitor
# Watch for changes to the audit configuration itself
auditctl -w /etc/audit/ -p wa -k audit_config
# Monitor privilege escalation attempts
auditctl -a always,exit -F arch=b64 -S setuid -S setgid -k privesc
# Check audit system status
auditctl -s
Safety Notes
- Adding audit rules increases system overhead. Each rule adds processing to every matching syscall. Avoid overly broad rules (e.g., auditing all syscalls on all files).
- Rules added with
auditctlare not persistent across reboots — they must be written to/etc/audit/rules.d/for persistence. Useauditctlfor runtime/investigation rules only. - Deleting audit rules during an active investigation is strongly discouraged. This could destroy evidence.
- Always list existing rules (
auditctl -l) before adding new ones to avoid duplicates. - Requires root or
CAP_AUDIT_CONTROLcapability. - The agent should prefer adding rules over deleting them. Rule deletion requires system manager approval.
Related Skills
ggp1/internal/skills/catalog/who
development
VerifiedTrustedCommunity
# who / w — Logged-in Users ## Category User & Group Management ## License GPLv3+ (GNU coreutils) / GPLv2 (procps-ng) ## Source Included in all Linux distributions. ## Purpose Show who is currently logged in and what they are doing. ## Use Cases - Detect unauthorized active sessions - Monitor interactive logins in real-time - Identify login sources (IP, terminal) - Review idle times for active sessions ## Examples ```bash # All login information who -a # Currently logged-in users with act
SKILL.mdUpdated Apr 21, 2026
ggp1/internal/skills/catalog/useradd
development
VerifiedTrustedCommunity
# useradd / usermod / userdel — User Account Management ## Category User & Group Management ## License BSD-3-Clause (shadow-utils) ## Source https://github.com/shadow-maint/shadow (included in all Linux distributions) ## Purpose Create, modify, and delete user accounts. ## Use Cases - Create service accounts for Mitiga components - Modify user group memberships - Disable or remove compromised accounts - Audit account configurations ## Examples ```bash # Create a system service account (no
SKILL.mdUpdated Apr 21, 2026
ggp1/internal/skills/catalog/ufw
development
VerifiedTrustedCommunity
# ufw — Uncomplicated Firewall ## Category System Hardening ## License GPLv3 ## Source https://code.launchpad.net/ufw (included in Ubuntu/Debian) ## Purpose Simplified interface for managing iptables/nftables rules. ## Use Cases - Quick firewall status checks - Rule modifications on systems using ufw - Block malicious sources during incident response ## Examples ```bash # Show firewall status and rules ufw status verbose # Block a malicious IP ufw deny from <malicious_ip> # Allow a speci
SKILL.mdUpdated Apr 21, 2026
ggp1/internal/skills/catalog/trivy
development
VerifiedTrustedCommunity
# trivy — Comprehensive Vulnerability Scanner ## Category Vulnerability Scanning ## License Apache 2.0 ## Source https://github.com/aquasecurity/trivy (CNCF project) ## Purpose Scan filesystems, container images, Git repositories, and IaC configurations for known vulnerabilities (CVEs), misconfigurations, and exposed secrets. ## Use Cases - Audit project dependencies for known CVEs - Scan configuration files for misconfigurations - Detect embedded secrets in repositories - Scan container im
SKILL.mdUpdated Apr 21, 2026