Security Auditing for linux with Auditd

So you have a folder full of super-secret files that few people should see, and you want to know when unauthorized people try to see them. Or maybe you want to see when a certain file changes, or you want to see when people log in and what they do once they are logged in. You have an audit system for all this and more.

Define test

To install an auditd, execute the following command

#apt install auditd

Establishment of inspection rules

Let’s start by checking to see if there are any control rules:

#auditctl -l

As you can see, the auditctl command is what we use to manage the audit rules. Option -l gives an overview of the rules.

Checking a file for changes

Suppose we want to see when someone changes the /etc/passwd file.

#auditctl -w /etc/passwd -p wa -k passwd_changes

The malfunction:

-w : It means where and indicates which object we want to observe. In this case it is /etc/passwd.

-p : This indicates the resolution of the object we want to observe. In this case we follow the attempts to (w)communicate with the file or to (a)change it. (The other two permits we can check are (r)ead and e(x)ecute).

-k: I mean a key that is just a way to check the name given to a rule. So Passwd_changes is a key or a name, a rule we make.

The command auditctl -l shows us that the rule really exists.

#auditctl -l


the rule is temporary and will disappear when we restart the car. To make it permanent, we need to create a file with custom lines in /etc/audit/rules.d/.

You can use your word processor to create a new line file in /etc/audit/rules.d/. Or you can simply redirect the output of auditctl -l to a new file like this

#sh -c auditctl -l >


# systemctl restart auditd

After restarting the auditd daemon the audit.rules file now looks like this:

#less /etc/audit.rules

Here is the decryption of this file:

-D : This will lead to the removal of all current rules and clocks so that we can start with a clean slate.

-b 8192 : This determines the number of unfilled test buffers we can have at the same time.

-f 1 : It defines the fault mode for critical faults and the value can be 0, 1 or 2.

The rule now takes effect every time the computer is rebooted and every time the audit daemon is manually rebooted.


The next two tabs change the content.

Ruvantha Nissanka is a Sri Lankan engineer specialized in cybersecurity. He has extensive experience in providing cyber security services to many organizations in Sri Lanka. He is a positive person who wants to believe in the best in others and who likes to help, encourage and make people feel good.

Related Tags:

python packages available in lambda,aws lambda python regex,lambda dateutil,aws lambda python-ldap,reduce python package size,boto3 list all lambda functions