You can’t detect, investigate, or prove anything without logs. Enable the auditing that captures attacker behavior, protect the logs, and ship them somewhere central.
Why: hardening includes turning on the auditing that records security-relevant activity — logins, privilege use, command execution, and changes to sensitive files — because detection and forensics are impossible without it. When: enable high-value auditing as part of the baseline, not after an incident. Where: this is the supply side of the detection and DFIR courses — those disciplines can only find what hardening chose to log.
# Enable auditing of security-relevant events (Linux auditd):
auditctl -w /etc/passwd -p wa -k identity # changes to accounts
auditctl -w /etc/sudoers -p wa -k priv_change # changes to sudo rights
auditctl -a always,exit -F arch=b64 -S execve -k exec # every command executed
# Capture: authentication, privilege use, process execution (with command
# line), and modification of sensitive files. This is what detection needs.Why: local logs are the first thing an attacker deletes to cover their tracks, so logs must be shipped off the host to a central, append-only store in near real time — where the attacker cannot reach them. When: forward all security logs to a central server/SIEM as they are written. Where: centralization also enables cross-system correlation (the detection and forensics courses) and protects log integrity for investigations.
# Forward logs off the host in real time (attackers wipe LOCAL logs):
# /etc/rsyslog.conf — send to a central collector:
*.* @@logserver.internal:6514 # @@ = TCP; use TLS for the transport
# Better still: a log agent (Filebeat/Fluent Bit/Wazuh) -> central SIEM.
# Off-host + append-only = the attacker can't erase the evidence of the breach.Why: logs are only trustworthy and useful if timestamps are consistent and logs are kept long enough — accurate synchronized time (NTP) lets you correlate events across systems, and adequate retention means you can investigate an intrusion that went unnoticed for weeks. When: enforce NTP everywhere and set retention to your investigation and compliance needs. Where: mismatched clocks make timelines (the core of forensics) impossible to reconstruct.
# Synchronized time is what makes cross-system correlation possible:
timedatectl set-ntp true
timedatectl status # confirm "System clock synchronized: yes"
# Retention: keep security logs long enough to investigate + comply
# (many intrusions are found weeks/months later — dwell time is real).
# Consistent UTC timestamps across hosts -> defensible forensic timelines.