CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-linux-audit-logs-for-intrusion

Uses the Linux Audit framework (auditd) with ausearch and aureport utilities to detect intrusion attempts, unauthorized access, privilege escalation, and suspicious system activity. Covers audit rule configuration, log querying, timeline reconstruction, and integration with SIEM platforms. Activates for requests involving auditd analysis, Linux audit log investigation, ausearch queries, aureport summaries, or host-based intrusion detection on Linux.

76

Quality

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

SKILL.md
Quality
Evals
Security

Quality

Content

92%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

The content is highly actionable and well-sequenced with validation checkpoints, but it underuses progressive disclosure: the provided api-reference.md bundle is never referenced from the body, and content that belongs in a separate file is inlined.

Suggestions

Link the existing references/api-reference.md from the body (e.g., a 'See api-reference.md for full ausearch/aureport flag reference' line) so the bundle is discoverable.

Move the detailed ausearch/aureport command-flag listings out of the SKILL.md body into references/api-reference.md, keeping the body as a concise workflow overview.

Add a brief inline validate-fix-retry note after rule deployment (e.g., reload, verify count, fix and reload if mismatched) to make the feedback loop explicit rather than relying on the end checklist.

DimensionReasoningScore

Conciseness

The body is lean and command-driven with minimal prose, avoiding padding with concepts Claude already knows; the Key Concepts table defines tools for precise command selection rather than explaining generic background.

3 / 3

Actionability

It provides fully executable, copy-paste-ready bash commands throughout (auditctl rules, ausearch/aureport queries with concrete flags and time ranges), matching the anchor for specific executable examples.

3 / 3

Workflow Clarity

A clear six-step sequence is present with inline validation checkpoints (backlog check, rule-count confirmation) plus a dedicated Verification checklist, so validation steps are not missing for the batch rule-deployment operations.

3 / 3

Progressive Disclosure

Although a references/api-reference.md bundle exists, the body never signals or links it, and detailed ausearch/aureport flag references that could live in that file are inlined as a large monolithic block.

2 / 3

Total

11

/

12

Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

The description is specific, complete, and distinct: it enumerates concrete capabilities and provides an explicit trigger clause covering natural terms users would say. It uses proper third-person voice and avoids vague fluff or over-claims.

DimensionReasoningScore

Specificity

The description lists multiple concrete actions ('detect intrusion attempts, unauthorized access, privilege escalation', 'audit rule configuration, log querying, timeline reconstruction, and integration with SIEM platforms'), matching the anchor for listing multiple specific concrete actions.

3 / 3

Completeness

It clearly answers both what the skill does and when to use it via the explicit 'Activates for requests involving...' trigger clause, matching the anchor for clearly answering both what AND when.

3 / 3

Trigger Term Quality

It gives good coverage of natural terms a user would say ('auditd analysis, Linux audit log investigation, ausearch queries, aureport summaries, or host-based intrusion detection on Linux'), aligning with the score-3 anchor rather than the partial coverage of score 2.

3 / 3

Distinctiveness Conflict Risk

It targets a clear niche (Linux host-based audit log intrusion detection) with distinct triggers and even distinguishes itself from network-level IDS, making it unlikely to conflict with other skills.

3 / 3

Total

12

/

12

Passed

Validation

93%

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation15 / 16 Passed

Validation for skill structure

CriteriaDescriptionResult

frontmatter_unknown_keys

Unknown frontmatter key(s) found; consider removing or moving to metadata

Warning

Total

15

/

16

Passed

Repository
mukul975/Anthropic-Cybersecurity-Skills
Reviewed

Table of Contents

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.