Introduction of Auditd
Keeping track of what happens on your Linux system is crucial, especially for security and compliance. Linux provides a powerful tool called Auditd (Audit Daemon) to log important system events, including file modifications, user actions, and system calls. In this guide, we will walk you through enabling and configuring audit logs on your Linux system in simple terms.
Step 1: Install Auditd
Most modern Linux distributions come with Auditd pre-installed. To check if it's installed, run:
[root@siddhesh ~]# systemctl status auditdIf it's not installed, you can install it using:
Debian/Ubuntu:
# apt install auditd -y
RHEL/CentOS:
# yum install audit -y
Step 2: Enable and Start Auditd
To ensure Auditd runs at startup, enable and start the service:
[root@siddhesh ~]# systemctl enable --now auditdThis command enables Auditd permanently and starts it immediately.
Step 3: Configure Audit Rules
Audit rules define what events to log. These rules are stored in /etc/audit/rules.d/audit.rules
Example: Track File Deletions
To log file deletions in the /opt/ directory, add the following rule:
-w /opt/builddevops -p wa -k file_deletionThis means:
-w /opt/builddevops → Watch this directory.
-p wa → Log write (w) and attribute change (a) operations.
-k file_deletion → Assign a key named "file_deletion" for easy searching.
To track file rename and delete system calls, add:
-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=file_deletionExplanation:
-a always,exit → Always log these events when they exit.
-F arch=b64 → Apply to 64-bit architecture.
-S rename,unlink,unlinkat,renameat → Track these system calls.
-F auid>=1000 → Only log actions by real users (not system processes).
-F auid!=-1 → Ignore anonymous users.
-F key=file_deletion → Assign a key for easy searching.
Save and Reload Rules
After adding rules, save the file and reload Auditd:
[root@siddhesh ~]# auditctl -R /etc/audit/rules.d/audit.rulesTo check active rules:
[root@siddhesh ~]# auditctl -l
-w /opt/builddevops -p wa -k file_deletion
-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=file_deletion
[root@siddhesh ~]#Step 4: Viewing Audit Logs
To view audit logs, use:
[root@siddhesh ~]# ausearch -k file_deletion
time->Wed Mar 5 17:53:06 2025
type=PROCTITLE msg=audit(1741177386.724:24023): proctitle=746F756368002F6F70742F706F776572696E626F782F73696464686573682E747874
type=PATH msg=audit(1741177386.724:24023): item=1 name="/opt/builddevops/siddhesh.txt" inode=10225414 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unlabeled nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1741177386.724:24023): item=0 name="/opt/builddevops/" inode=10225241 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unlabeled nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1741177386.724:24023): cwd="/root"
type=SYSCALL msg=audit(1741177386.724:24023): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffd9e6031f1 a2=941 a3=1b6 items=2 ppid=1763224 pid=1763336 auid=1002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=216 comm="touch" exe="/usr/bin/touch" subj=kernel key="file_deletion"
[root@siddhesh ~]#This audit log entry shows that the touch command was used to create the file /opt/builddevops/siddhesh.txt by a user with auid=1002 (real user ID) while running as root (uid=0). The operation was successful (success=yes) and triggered an audit rule with the key "file_deletion".
For real-time monitoring:
[root@siddhesh ~]# tail -f /var/log/audit/audit.logStep 5: Securing and Managing Logs
Since audit logs contain sensitive information, limit access:
[root@siddhesh ~]# chmod 600 /var/log/audit/audit.logYou can also set log rotation rules in /etc/audit/auditd.conf:
max_log_file = 10 # Maximum log size in MB
num_logs = 5 # Number of rotated logs to keepRestart Auditd after making changes:
[root@siddhesh ~]# systemctl restart auditdConclusion
Audit logging is a powerful way to track and analyze user and system activities on Linux. By setting up custom audit rules, you can monitor critical files and actions, helping you detect security incidents and comply with regulations.
Start by enabling Auditd today and gain deeper insights into your system's activities!
Comments