Linux Comm Auditd
[ Linux Command Encyclopaedia](#)
* * *
auditd is the audit daemon on Linux systems, and it is the core component of the Linux audit framework. The main function of auditd is to monitor and record system activities, including:
* File and directory access
* System calls
* User login/logout
* Privileged command execution
* System configuration changes
These audit logs are very important for system security monitoring, compliance checking, and troubleshooting.
* * *
## auditd Core Components
### auditd Daemon
A continuously running daemon responsible for collecting and storing audit events.
### auditctl Tool
A command-line tool used to configure audit rules and control the audit system.
### ausearch Tool
A command-line tool used to query audit logs.
### aureport Tool
Generates summary reports of audit logs.
* * *
## auditd Installation and Startup
### Installing auditd
On most Linux distributions, auditd is usually pre-installed. If manual installation is needed:
## Example
# Ubuntu/Debian
sudo apt-get install auditd
# CentOS/RHEL
sudo yum install audit
### Starting and Enabling auditd Service
## Example
# Start the service
sudo systemctl start auditd
# Enable at boot
sudo systemctl enable auditd
# Check service status
sudo systemctl status auditd
* * *
## auditd Configuration File
The main configuration file for auditd is located at `/etc/audit/auditd.conf`, and contains the following important parameters:
| Parameter | Description | Default Value |
| --- | --- | --- |
| `log_file` | Audit log file path | `/var/log/audit/audit.log` |
| `max_log_file` | Maximum size per log file (MB) | `8` |
| `num_logs` | Number of log files to keep | `5` |
| `flush` | Log write method | `INCREMENTAL` |
| `freq` | How often to sync if flush=INCREMENTAL | `20` |
After modifying the configuration, you need to restart the service:
sudo systemctl restart auditd
* * *
## auditctl Command Details
`auditctl` is the main tool for configuring audit rules.
### Basic Syntax
auditctl
### Common Options
| Option | Description |
| --- | --- |
| `-l` | List all current rules |
| `-D` | Delete all rules |
| `-s` | Show audit system status |
| `-R ` | Load rules from file |
### Rule Types
**File System Rules**: Monitor file/directory access
## Example
# Monitor read, write and attribute changes to /etc/passwd
auditctl -w/etc/passwd-p rwxa -k passwd_access
* `-w`: Watch path
* `-p`: Permissions (r=read, w=write, x=execute, a=attribute change)
* `-k`: Keyword (used for log filtering)
**System Call Rules**: Monitor specific system calls
## Example
# Monitor all commands using sudo
auditctl -a always,exit-F arch=b64 -S execve -F path=/usr/bin/sudo-k sudo_cmds
* `-a`: Action and list (always,exit means to record on system call exit)
* `-F`: Filter condition
* `-S`: System call name
**User Rules**: Monitor specific user behavior
## Example
# Monitor file deletion by users with UID greater than 500
auditctl -a always,exit-S unlink-S unlinkat -S rename -S renameat -F auid>=500-F auid!=4294967295-k delete_files
* * *
## Audit Log Analysis
### ausearch Command
Used to query audit logs.
## Example
# Find logs with specific keyword
ausearch -k passwd_access
# Find logs for specific time
ausearch -ts today
ausearch -ts 10:00:00 -te 11:00:00
# Find logs for specific user
ausearch -ua 1000
### aureport Command
Generates summary reports of audit logs.
## Example
# Generate user login report
aureport -l
# Generate file access report
aureport -f
# Generate summary report of all events
aureport --summary
* * *
## Practical Application Examples
### Example 1: Monitoring Sensitive Files
## Example
# Monitor /etc/shadow file
auditctl -w/etc/shadow -p wa -k shadow_mod
# View related logs
ausearch -k shadow_mod |less
### Example 2: Monitoring User Privilege Escalation
## Example
# Monitor all commands using sudo or su
auditctl -a always,exit-F arch=b64 -S execve -F path=/usr/bin/sudo-k priv_esc
auditctl -a always,exit-F arch=b64 -S execve -F path=/usr/bin/su-k priv_esc
# Generate privilege escalation report
aureport --start today --event--summary-i|grep priv_esc
### Example 3: Monitoring SSH Login
## Example
# Monitor SSH login success and failure
auditctl -a always,exit-F arch=b64 -S execve -F path=/usr/sbin/sshd -k sshd_login
# View SSH login records
ausearch -k sshd_login |grep'acct="user"'|grep'res=success'
* * *
## Best Practices
**Set reasonable log rotation**: Ensure logs don't fill up the disk
## Example
# Edit /etc/audit/auditd.conf
max_log_file = 50
num_logs = 10
**Centralize audit rule management**: Save rules in files
## Example
# Create rules file /etc/audit/rules.d/my.rules
-w/etc/passwd-p wa -k passwd_changes
-w/etc/group -p wa -k group_changes
# Load rules
auditctl -R/etc/audit/rules.d/my.rules
**Regularly review logs**: Set up cron tasks to regularly analyze logs
## Example
# Generate daily report and send to administrator
0 0***/usr/sbin/aureport --summary--start yesterday --end now | mail -s"Daily Audit Report" admin@example.com
**Protect audit logs**: Prevent logs from being tampered with
## Example
chmod 600/var/log/audit/audit.log
chown root:root /var/log/audit/audit.log
* * *
## Common Troubleshooting
### Problem 1: auditd service fails to start
**Solution**:
1. Check configuration file syntax: `auditd -f /etc/audit/auditd.conf`
2. View system logs: `journalctl -u auditd`
### Problem 2: No audit logs generated
**Solution**:
1. Confirm service is running: `systemctl status auditd`
2. Check if rules are loaded: `auditctl -l`
3. Verify kernel support: `grep "audit" /boot/config-$(uname -r)`
### Problem 3: Log files too large
**Solution**:
1. Adjust log size and number: Modify `max_log_file` and `num_logs` in `/etc/audit/auditd.conf`
2. Set log compression: Add `compress = yes` to the configuration file
* * *
## Summary
auditd is a powerful auditing tool on Linux systems. With proper configuration, it can:
* Monitor access to critical files and directories
* Track the use of privileged commands
* Record user logins and system activities
* Meet compliance requirements
Mastering the use of auditd is essential for system administrators and security professionals. It can help you better understand and protect your Linux system.
* * Linux Command Encyclopaedia](#)
YouTip