YouTip LogoYouTip

Linux Comm Auditd

[![Image 1: Linux Command Encyclopaedia](#) Linux Command Encyclopaedia](#) * * * auditd is the audit daemon on Linux systems, and it is the core component of the Linux audit framework. The main function of auditd is to monitor and record system activities, including: * File and directory access * System calls * User login/logout * Privileged command execution * System configuration changes These audit logs are very important for system security monitoring, compliance checking, and troubleshooting. * * * ## auditd Core Components ### auditd Daemon A continuously running daemon responsible for collecting and storing audit events. ### auditctl Tool A command-line tool used to configure audit rules and control the audit system. ### ausearch Tool A command-line tool used to query audit logs. ### aureport Tool Generates summary reports of audit logs. * * * ## auditd Installation and Startup ### Installing auditd On most Linux distributions, auditd is usually pre-installed. If manual installation is needed: ## Example # Ubuntu/Debian sudo apt-get install auditd # CentOS/RHEL sudo yum install audit ### Starting and Enabling auditd Service ## Example # Start the service sudo systemctl start auditd # Enable at boot sudo systemctl enable auditd # Check service status sudo systemctl status auditd * * * ## auditd Configuration File The main configuration file for auditd is located at `/etc/audit/auditd.conf`, and contains the following important parameters: | Parameter | Description | Default Value | | --- | --- | --- | | `log_file` | Audit log file path | `/var/log/audit/audit.log` | | `max_log_file` | Maximum size per log file (MB) | `8` | | `num_logs` | Number of log files to keep | `5` | | `flush` | Log write method | `INCREMENTAL` | | `freq` | How often to sync if flush=INCREMENTAL | `20` | After modifying the configuration, you need to restart the service: sudo systemctl restart auditd * * * ## auditctl Command Details `auditctl` is the main tool for configuring audit rules. ### Basic Syntax auditctl ### Common Options | Option | Description | | --- | --- | | `-l` | List all current rules | | `-D` | Delete all rules | | `-s` | Show audit system status | | `-R ` | Load rules from file | ### Rule Types **File System Rules**: Monitor file/directory access ## Example # Monitor read, write and attribute changes to /etc/passwd auditctl -w/etc/passwd-p rwxa -k passwd_access * `-w`: Watch path * `-p`: Permissions (r=read, w=write, x=execute, a=attribute change) * `-k`: Keyword (used for log filtering) **System Call Rules**: Monitor specific system calls ## Example # Monitor all commands using sudo auditctl -a always,exit-F arch=b64 -S execve -F path=/usr/bin/sudo-k sudo_cmds * `-a`: Action and list (always,exit means to record on system call exit) * `-F`: Filter condition * `-S`: System call name **User Rules**: Monitor specific user behavior ## Example # Monitor file deletion by users with UID greater than 500 auditctl -a always,exit-S unlink-S unlinkat -S rename -S renameat -F auid>=500-F auid!=4294967295-k delete_files * * * ## Audit Log Analysis ### ausearch Command Used to query audit logs. ## Example # Find logs with specific keyword ausearch -k passwd_access # Find logs for specific time ausearch -ts today ausearch -ts 10:00:00 -te 11:00:00 # Find logs for specific user ausearch -ua 1000 ### aureport Command Generates summary reports of audit logs. ## Example # Generate user login report aureport -l # Generate file access report aureport -f # Generate summary report of all events aureport --summary * * * ## Practical Application Examples ### Example 1: Monitoring Sensitive Files ## Example # Monitor /etc/shadow file auditctl -w/etc/shadow -p wa -k shadow_mod # View related logs ausearch -k shadow_mod |less ### Example 2: Monitoring User Privilege Escalation ## Example # Monitor all commands using sudo or su auditctl -a always,exit-F arch=b64 -S execve -F path=/usr/bin/sudo-k priv_esc auditctl -a always,exit-F arch=b64 -S execve -F path=/usr/bin/su-k priv_esc # Generate privilege escalation report aureport --start today --event--summary-i|grep priv_esc ### Example 3: Monitoring SSH Login ## Example # Monitor SSH login success and failure auditctl -a always,exit-F arch=b64 -S execve -F path=/usr/sbin/sshd -k sshd_login # View SSH login records ausearch -k sshd_login |grep'acct="user"'|grep'res=success' * * * ## Best Practices **Set reasonable log rotation**: Ensure logs don't fill up the disk ## Example # Edit /etc/audit/auditd.conf max_log_file = 50 num_logs = 10 **Centralize audit rule management**: Save rules in files ## Example # Create rules file /etc/audit/rules.d/my.rules -w/etc/passwd-p wa -k passwd_changes -w/etc/group -p wa -k group_changes # Load rules auditctl -R/etc/audit/rules.d/my.rules **Regularly review logs**: Set up cron tasks to regularly analyze logs ## Example # Generate daily report and send to administrator 0 0***/usr/sbin/aureport --summary--start yesterday --end now | mail -s"Daily Audit Report" admin@example.com **Protect audit logs**: Prevent logs from being tampered with ## Example chmod 600/var/log/audit/audit.log chown root:root /var/log/audit/audit.log * * * ## Common Troubleshooting ### Problem 1: auditd service fails to start **Solution**: 1. Check configuration file syntax: `auditd -f /etc/audit/auditd.conf` 2. View system logs: `journalctl -u auditd` ### Problem 2: No audit logs generated **Solution**: 1. Confirm service is running: `systemctl status auditd` 2. Check if rules are loaded: `auditctl -l` 3. Verify kernel support: `grep "audit" /boot/config-$(uname -r)` ### Problem 3: Log files too large **Solution**: 1. Adjust log size and number: Modify `max_log_file` and `num_logs` in `/etc/audit/auditd.conf` 2. Set log compression: Add `compress = yes` to the configuration file * * * ## Summary auditd is a powerful auditing tool on Linux systems. With proper configuration, it can: * Monitor access to critical files and directories * Track the use of privileged commands * Record user logins and system activities * Meet compliance requirements Mastering the use of auditd is essential for system administrators and security professionals. It can help you better understand and protect your Linux system. * * Linux Command Encyclopaedia](#)
← Linux Comm SetenforceLinux Comm Openssl β†’