2. 2 / 8
System auditing with audit
● Audit is the user-space component of the Linux auditing
subsystem.
● Audit messages sent by the kernel will be collected in the log
file configured for audit (normally /var/log/audit/audit.log)
● Type of auditing
– Authentication/authorization messages (users logging in,
sudo being used)
– SELinux
– Administrators can add auditing rules on any system call.
3. 3 / 8
How to use it?
● Audit is service
● Command line using the auditctl tool.
● Viewing Audit Rules “auditctl -l”
● Current status of the audit system “auditctl -s”
● Adding Audit Rules:
– Using the command line tool auditctl
– Permanent, you need to add them to the file
/etc/audit/rules.d/audit.rules.
● Type Rules:
– Control Rules.
– System Call Rules
– Filesystem Rules “watch rule”
4. 4 / 8
Add Watch Rules
● Watches can be set on files and directories.
● Trigger on certain types of access (read, write, attribute
change, and execute).
● How to write auditctl command?
$ auditctl -w path_to_directory/file -p permissions -k
key_name
– W: watch
– Permissions: one or a combination of r(read), w(write),
x(execute), and a(attribute change).
– key_name: an optional string that helps you identify
which rule(s).
5. 5 / 8
Example of auditctl command
● Add rule
– auditctl -w /etc/hosts -p rw -k hosts_change
– auditctl -w /share -p rwa -k share-access
– Auditctl -w /usr/bin/passwd -p x -k change_passwd
● Remove rule
– Watch rules can be removed by using the -W option
instead of -w with the original
– To remove all rules, use the auditctl -D command.
6. 6 / 8
Persistent rules
● Write file /etc/audit/rules.d/audit.rules.
● Same contains auditctl commands but without the
auditctl command itself in front.
● Activate all rules from /etc/audit/rules.d/audit.rules
“auditctl -R <filename>”
8. 8 / 8
References
● For more information on auditd, see the auditd(8)
auditctl(8), and ausearch(8) man pages.
● https://access.redhat.com/documentation/en-us/red_hat_
● https://www.digitalocean.com/community/tutorials/how-to-
