auditd (Linux Audit Daemon) is the user-space component of the Linux Auditing System. It collects and stores audit records from the kernel, monitoring system calls and file access for security compliance and forensics.
Service Management
- systemctl start auditd - Start audit daemon
- systemctl stop auditd - Stop audit daemon
- systemctl restart auditd - Restart audit daemon
- systemctl status auditd - Check audit daemon status
- systemctl enable auditd - Enable audit daemon at boot
- auditctl -e 1 - Enable auditing
- auditctl -e 0 - Disable auditing
- auditctl -s - Show audit system status
Viewing Audit Logs
- ausearch -k
- Search by key
- ausearch -m
- Search by message type
- ausearch -ua
- Search by user ID
- ausearch -ui
- Search by effective user ID
- ausearch -x
- Search by executable name
- ausearch -sc
- Search by syscall
- ausearch -ts today - Search today's events
- ausearch -ts recent - Search recent events
- ausearch --start today --end now - Search time range
- aureport - Summary report of audit events
- aureport -au - Authentication report
- aureport -m - Account modifications report
- aureport -f - Failed file operations
- aureport --summary - Summary of all events
- ausearch -i - Interpret numeric entities (usernames, etc.)
- tail -f /var/log/audit/audit.log - Monitor audit log in real-time
Configuring Rules
- /etc/audit/rules.d/audit.rules - Permanent rule configuration file
- /etc/audit/auditd.conf - Audit daemon configuration
- auditctl -l - List current rules
- auditctl -D - Delete all rules
- service auditd restart - Reload rules from configuration files
File System Watch Rules
Watching Files
- auditctl -w /etc/passwd -p rwxa -k passwd_changes - Watch file (read, write, execute, attribute)
- auditctl -w /etc/shadow -p wa -k shadow_changes - Watch file (write, attribute)
- auditctl -w /etc/sudoers -p wa -k sudoers_changes - Watch sudoers file
Watching Directories
- auditctl -w /etc/ -p wa -k etc_changes - Watch directory
- auditctl -w /usr/bin/ -p x -k usr_bin_exec - Watch executable execution
- auditctl -w /var/log/ -p rwa -k log_access - Watch log directory
Watch Permissions
- -p r - Read operations
- -p w - Write operations
- -p x - Execute operations
- -p a - Attribute changes (permissions, ownership)
System Call Rules
Basic Syntax
- auditctl -a always,exit -S
-F = -k - Rule format
Common System Calls
- auditctl -a always,exit -S chmod -F auid>=1000 -k file_permission_change
- auditctl -a always,exit -S chown -F auid>=1000 -k file_ownership_change
- auditctl -a always,exit -S unlink -F auid>=1000 -k file_deletion
- auditctl -a always,exit -S mount -k mount_operations
- auditctl -a always,exit -S setuid -k privilege_escalation
- auditctl -a always,exit -S setgid -k privilege_escalation
Rule Actions
- always - Always generate audit record
- never - Never generate audit record
Rule Lists
- task - Per-task list (applied on fork/clone)
- exit - Syscall exit list
- user - Per-user list
- exclude - Exclusion list
Filter Fields
- -F auid=
- Audit user ID
- -F uid=
- User ID
- -F gid=
- Group ID
- -F euid=
- Effective user ID
- -F pid=
- Process ID
- -F ppid=
- Parent process ID
- -F arch=b64 - 64-bit architecture
- -F arch=b32 - 32-bit architecture
- -F exit=
- Exit value
- -F success!=0 - Failed operations only
- -F path=
- File path
- -F perm=
- File permissions (rwa)
Useful Rule Examples
Watch Critical System Files
# /etc/passwd
auditctl -w /etc/passwd -p wa -k passwd_changes
# /etc/shadow
auditctl -w /etc/shadow -p wa -k shadow_changes
# /etc/sudoers
auditctl -w /etc/sudoers -p wa -k sudoers_changes
# /etc/hosts
auditctl -w /etc/hosts -p wa -k hosts_changesMonitor Privilege Escalation
# Monitor setuid/setgid
auditctl -a always,exit -S setuid -S setgid -F auid>=1000 -k privilege_change
# Monitor sudo usage
auditctl -w /usr/bin/sudo -p x -k sudo_execution
auditctl -w /usr/bin/su -p x -k su_executionMonitor Network Configuration
# Network config files
auditctl -w /etc/network/ -p wa -k network_changes
# Firewall rules
auditctl -w /etc/iptables/ -p wa -k firewall_changesMonitor User Management
# User/group changes
auditctl -a always,exit -S useradd -S usermod -S userdel -k user_management
auditctl -a always,exit -S groupadd -S groupmod -S groupdel -k group_managementSearch Examples
Search by Key
ausearch -k passwd_changes -iSearch Failed Logins
ausearch -m LOGIN -sv no -iSearch File Access
ausearch -f /etc/shadow -iSearch by User
ausearch -ua 1000 -iSearch Today's Events
ausearch -ts today -iConfiguration Files
/etc/audit/auditd.conf
# Log file location
log_file = /var/log/audit/audit.log
# Log format (RAW or NOLOG)
log_format = RAW
# Maximum log file size (MB)
max_log_file = 8
# Action when disk is full
space_left_action = email
action_mail_acct = root
admin_space_left_action = suspend
disk_full_action = suspend
# Number of log files to keep
num_logs = 5/etc/audit/rules.d/audit.rules
# Delete all existing rules
-D
# Buffer settings
-b 8192
# Failure mode (0=silent, 1=printk, 2=panic)
-f 1
# Make rules immutable (cannot be changed until reboot)
-e 2
# Watch critical files
-w /etc/passwd -p wa -k passwd_changes
-w /etc/shadow -p wa -k shadow_changes
-w /etc/sudoers -p wa -k sudoers_changesTips
- Use meaningful keys (-k) for easier searching later
- Test rules with auditctl before adding to permanent config
- Monitor audit log size - rotate or truncate when needed
- Use -i flag with ausearch for human-readable output
- Filter by failed operations (-sv no) to find security issues
- Regularly review audit logs with aureport
- Set appropriate disk space limits to prevent log overflow
- Use immutable rules (-e 2) in production for security
- Watch executable directories to detect unauthorized binaries
- Monitor sudo/su usage to track privilege escalation
- Combine file watches with syscall rules for comprehensive monitoring
- Use keys to categorize events for easier analysis
- Check audit.log regularly to ensure auditing is working
- Use ausearch with time ranges for forensic investigations
- Archive old audit logs for compliance requirements