HxHippy

Linux Audit System (auditd)

Configure the Linux audit framework for security monitoring.

Last updated: 2025-01-15

Linux Audit System

The audit system tracks security-relevant events on Linux systems.

Installation and Setup

# Install auditd
sudo apt install auditd audispd-plugins  # Debian/Ubuntu
sudo dnf install audit                    # RHEL/Fedora

# Enable and start
sudo systemctl enable auditd
sudo systemctl start auditd

Audit Rules

File Monitoring

# /etc/audit/rules.d/50-file-access.rules

# Monitor password files
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/gshadow -p wa -k identity

# Monitor sudoers
-w /etc/sudoers -p wa -k sudoers
-w /etc/sudoers.d/ -p wa -k sudoers

# Monitor SSH configuration
-w /etc/ssh/sshd_config -p wa -k sshd

Privileged Commands

# /etc/audit/rules.d/50-privileged.rules

# All SUID/SGID binaries
-a always,exit -F perm=x -F auid>=1000 -F auid!=4294967295 \
   -F path=/usr/bin/sudo -k privileged

# Specific critical commands
-a always,exit -F path=/usr/bin/passwd -F perm=x -k privileged
-a always,exit -F path=/usr/sbin/useradd -F perm=x -k privileged
-a always,exit -F path=/usr/sbin/userdel -F perm=x -k privileged

System Calls

# /etc/audit/rules.d/50-syscalls.rules

# Unauthorized file access attempts
-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -k access
-a always,exit -F arch=b64 -S open -S openat -F exit=-EPERM -k access

# Mount operations
-a always,exit -F arch=b64 -S mount -S umount2 -k mount

# Module loading
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules

Apply Rules

# Load rules
sudo augenrules --load

# Check active rules
sudo auditctl -l

# Make rules immutable (requires reboot to change)
# Add to rules: -e 2

Searching Audit Logs

# Search by key
ausearch -k identity

# Search by time
ausearch -ts today -k identity
ausearch -ts recent

# Search by user
ausearch -ua 1000

# Search by event type
ausearch -m LOGIN

# Generate report
aureport --summary
aureport --auth
aureport --file

Audit Report Examples

# Failed login attempts
aureport --auth --summary

# File access summary
aureport --file --summary

# Privileged command usage
aureport --x --summary

# User activity
aureport --user --summary

Best Practice Rules

What to Monitor Priority
/etc/passwd, /etc/shadow Critical
sudo/su usage Critical
SSH config changes High
System time changes High
Module loading High
Failed access attempts Medium
advanced Auditing Updated 2025-01-15
  • auditd
  • audit
  • logging
  • security monitoring
  • compliance