Sysadmins use audits to discover security violations and track security-relevant information on their systems. Based on preconfigured rules and properties, the audit daemon (
auditd) generates log entries to record information about the events happening on the system. Administrators use this information to analyze what went wrong with the security policies and improve them further by taking additional measures.
This article covers how to install, configure, and manage the audit service. It also shows how to define audit rules, search audit logs, and create audit reports. If you are new to system auditing, this article helps you gain a basic understanding and usage of audits on your system.
Install audit packages
The audit package is installed by default on Red Hat Enterprise Linux (RHEL) 7 and above. If it is not installed, add it with the following command:
$ sudo dnf install audit
The audit configuration file is located at
/etc/audit/auditd.conf. The file contains the default configuration parameters that alter the behavior of the
Manage the audit service
auditd is configured, start the service to collect audit information:
$ sudo service auditd start
The only reason to use the
service command instead of
systemctl is to record a user ID (UID) value properly.
[ Sign up for the free online course RHEL technical overview. ]
auditd daemon so that it can start at boot time:
$ sudo systemctl enable auditd
Define audit rules
auditctl tool, you can add auditing rules on any system call you want.
Ordering is important for rules to function as intended, and the service works on a first-match-win basis.
The next step defines the watch rule. This rule tracks whether a file or directory is triggered by certain types of access, including read, write, execute, and attribute changes.
The syntax to define watch rules is:
auditctl -w path_to_file -p permissions -k key_name
To audit user creation actions, first, add a watch to the
/etc/passwd file to track write and attribute change access, and add a custom key to log all messages (this custom key is useful to filter log messages):
$ sudo auditctl -w /etc/passwd -p wa -k user-modify
Next, add a new user. Doing so changes the
$ sudo useradd testuser
Finally, check to see if
auditd logged the change. By default,
auditd stores logs in the
$ sudo cat /var/log/audit/audit.log | grep user-modify
The output displays different properties, like what system call was triggered by which user, the type of change, the UID and group ID (GID) of the user who executed the command, and many others.
[ Download the Linux commands cheat sheet, so you always have the right command at hand. ]
auditctl man page to see more audit examples. For specific options, use
Define persistent audit rules
To make auditing rules persistent across reboots, add them to the
/etc/audit/rules.d/audit.rules file. This file contains
auditctl commands as they would be entered on the command line but without the
auditctl command in front.
Define persistent rules in the
audit.rules file to watch
/etc/passwd file for changes.
Open the file
/etc/audit/rules.d/audit.rules in your favorite text editor and add this line:
-w /etc/passwd -p wa -k user-modify
Save the file, and then reload the
auditd daemon to implement the changes from the configuration in the rules file:
$ sudo service auditd reload
auditctl -l to list the rules.
Finally, add a new user or modify any parameters that trigger the
/etc/passwd file to change. The change is logged in
/var/log/audit/audit.log, and even if the system is rebooted, the rules persists.
Search audit logs
ausearch tool to search audit logs. By default, it searches the
For example, to search for log entries based on key_name:
$ sudo ausearch -i -k user-modify
Create audit reports
aureport tool to query and create audit reports based on audit logs.
For example, to generate a report of all executable events, run:
$ sudo aureport -x
In this article, you learned about
auditd, installed packages required by
auditd, and managed the
auditd service by starting, enabling, and restarting it where and when needed. You learned how to define
auditd rules temporarily with
auditctl and persistently in the
audit.rules file. Finally, you searched audit logs and generated audit reports with the
aureport commands, respectively.