Configure Linux system auditing with auditd

Sysadmins use audits to discover security violations and track security-relevant information on their systems. Based on preconfigured rules and properties, the audit daemon (auditd) generates log entries to record information about the events happening on the system. Administrators use this information to analyze what went wrong with the security policies and improve them further by taking additional measures.

This article covers how to install, configure, and manage the audit service. It also shows how to define audit rules, search audit logs, and create audit reports. If you are new to system auditing, this article helps you gain a basic understanding and usage of audits on your system.

Install audit packages

The audit package is installed by default on Red Hat Enterprise Linux (RHEL) 7 and above. If it is not installed, add it with the following command:

$ sudo dnf install audit

The audit configuration file is located at /etc/audit/auditd.conf. The file contains the default configuration parameters that alter the behavior of the auditd daemon.

Manage the audit service

Once auditd is configured, start the service to collect audit information:

$ sudo service auditd start

The only reason to use the service command instead of systemctl is to record a user ID (UID) value properly.

[ Sign up for the free online course RHEL technical overview. ]

Enable the auditd daemon so that it can start at boot time:

$ sudo systemctl enable auditd

Define audit rules

With the auditctl tool, you can add auditing rules on any system call you want.

Ordering is important for rules to function as intended, and the service works on a first-match-win basis.

The next step defines the watch rule. This rule tracks whether a file or directory is triggered by certain types of access, including read, write, execute, and attribute changes.

The syntax to define watch rules is:

auditctl -w path_to_file -p permissions -k key_name

To audit user creation actions, first, add a watch to the /etc/passwd file to track write and attribute change access, and add a custom key to log all messages (this custom key is useful to filter log messages):

$ sudo auditctl -w /etc/passwd -p wa -k user-modify

Next, add a new user. Doing so changes the /etc/passwd file:

$ sudo useradd testuser

Finally, check to see if auditd logged the change. By default, auditd stores logs in the /var/log/audit/audit.log file:

$ sudo cat /var/log/audit/audit.log | grep user-modify

The output displays different properties, like what system call was triggered by which user, the type of change, the UID and group ID (GID) of the user who executed the command, and many others.

[ Download the Linux commands cheat sheet, so you always have the right command at hand. ]

Visit the auditctl man page to see more audit examples. For specific options, use auditctl --help.

Define persistent audit rules

To make auditing rules persistent across reboots, add them to the /etc/audit/rules.d/audit.rules file. This file contains auditctl commands as they would be entered on the command line but without the auditctl command in front.

Define persistent rules in the audit.rules file to watch /etc/passwd file for changes.

Open the file /etc/audit/rules.d/audit.rules in your favorite text editor and add this line:

-w /etc/passwd -p wa -k user-modify

Save the file, and then reload the auditd daemon to implement the changes from the configuration in the rules file:

$ sudo service auditd reload

Run auditctl -l to list the rules.

Finally, add a new user or modify any parameters that trigger the /etc/passwd file to change. The change is logged in /var/log/audit/audit.log, and even if the system is rebooted, the rules persists.

Search audit logs

Use the ausearch tool to search audit logs. By default, it searches the /var/log/audit/audit.log file.

For example, to search for log entries based on key_name:

$ sudo ausearch -i -k user-modify

Create audit reports

Use the aureport tool to query and create audit reports based on audit logs.

For example, to generate a report of all executable events, run:

$ sudo aureport -x

Wrap up

In this article, you learned about auditd, installed packages required by auditd, and managed the auditd service by starting, enabling, and restarting it where and when needed. You learned how to define auditd rules temporarily with auditctl and persistently in the audit.rules file. Finally, you searched audit logs and generated audit reports with the ausearch and aureport commands, respectively.