Linux Audit System
The audit system tracks security-relevant events on Linux systems.
Installation and Setup
# Install auditd
sudo apt install auditd audispd-plugins # Debian/Ubuntu
sudo dnf install audit # RHEL/Fedora
# Enable and start
sudo systemctl enable auditd
sudo systemctl start auditdAudit Rules
File Monitoring
# /etc/audit/rules.d/50-file-access.rules
# Monitor password files
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/gshadow -p wa -k identity
# Monitor sudoers
-w /etc/sudoers -p wa -k sudoers
-w /etc/sudoers.d/ -p wa -k sudoers
# Monitor SSH configuration
-w /etc/ssh/sshd_config -p wa -k sshdPrivileged Commands
# /etc/audit/rules.d/50-privileged.rules
# All SUID/SGID binaries
-a always,exit -F perm=x -F auid>=1000 -F auid!=4294967295 \
-F path=/usr/bin/sudo -k privileged
# Specific critical commands
-a always,exit -F path=/usr/bin/passwd -F perm=x -k privileged
-a always,exit -F path=/usr/sbin/useradd -F perm=x -k privileged
-a always,exit -F path=/usr/sbin/userdel -F perm=x -k privilegedSystem Calls
# /etc/audit/rules.d/50-syscalls.rules
# Unauthorized file access attempts
-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -k access
-a always,exit -F arch=b64 -S open -S openat -F exit=-EPERM -k access
# Mount operations
-a always,exit -F arch=b64 -S mount -S umount2 -k mount
# Module loading
-a always,exit -F arch=b64 -S init_module -S delete_module -k modulesApply Rules
# Load rules
sudo augenrules --load
# Check active rules
sudo auditctl -l
# Make rules immutable (requires reboot to change)
# Add to rules: -e 2Searching Audit Logs
# Search by key
ausearch -k identity
# Search by time
ausearch -ts today -k identity
ausearch -ts recent
# Search by user
ausearch -ua 1000
# Search by event type
ausearch -m LOGIN
# Generate report
aureport --summary
aureport --auth
aureport --fileAudit Report Examples
# Failed login attempts
aureport --auth --summary
# File access summary
aureport --file --summary
# Privileged command usage
aureport --x --summary
# User activity
aureport --user --summaryBest Practice Rules
| What to Monitor | Priority |
|---|---|
| /etc/passwd, /etc/shadow | Critical |
| sudo/su usage | Critical |
| SSH config changes | High |
| System time changes | High |
| Module loading | High |
| Failed access attempts | Medium |
- auditd
- audit
- logging
- security monitoring
- compliance