Tuning and using auditd to audit a Linux system

running Linux are audited using the auditd daemon. is designed to do a thorough examination of the Linux operating system, including recording different events, examining program operations, and giving information to the administrator in accordance with predetermined templates. In addition to checking the operating system for problems, auditd also activates the notification service, which notifies the administrator of any issues.

Let’s talk about how to use auditd. The server running Server 18.04 is used as an example.


By default, auditd is not integrated into the operating system. Let’s install it with regular means:

sudo apt-get install auditd audispd-plugins

Important! If the server platform is running , you do not need to install anything – the daemon is integrated into the OS.


System parameters are stored in two . The first is called auditd.conf and contains the audit service settings, the second is called audit.rules. Audit.conf is responsible for the auditd service in the direction of what events it records and at what point in time. The second file contains the rules and filters used by auditd when performing operations. Administrators make changes to it, add new rules, and also edit current templates or delete obsolete ones.

To view installed templates, use the following flag:

auditctl –l

If the settings were not made, the table will be empty

Important! Deleting rules is done through the D key.

To activate monitoring for a specific file, write the following syntax in the terminal:

auditctl -a command,action -F path=name_file -F perm=permission

  • name_file – the name of the file being monitored by the auditd service;
  • permission – rights.

The field takes four values:

  • R – read rights;
  • W – allowed to change;
  • X – used for executable files, the service runs it on its own behalf;
  • A – change the attributes of the object.

Additional keys that come with the command are decrypted as follows:

-a: Specifies a list (task, exit, user, or exclude) and an action (never or always) for the auditctl daemon. The pair is separated by commas.
-F: Specifies the path to the file and grants search rights.

If you want to find a specific event or object, use the ausearch command with the -f switch. Let’s say you want to see who used the /etc/passwd object and when. We prescribe:

uname –

In response, the administrator will receive a number that can later be used to obtain detailed information about the system call. We write in the terminal:

ausyscall arch number

  • arch is the architecture of the operating system;
  • number is a numeric value obtained through the uname command.

Now back to the beginning of the section. Knowing what a system call is, administrators use the auditctl command to get detailed information about running applications and active actions by account name.

View logs

The conditions are set, the audit is carried out, but how to view the result? The aureport command is available for this. The collected information is stored in the /var/log/audit/ directory, and the files have the .log extension. General form:

aureport option -if filename

  • option specifies the keys by which information is retrieved;
  • –if specifies the file on which the filter works.

The most common filter is by date. The –start and –end options are responsible for this, followed by the date and exact time. :

aureport --start 07/15/2008 00:00:00 --end 07/19/2018 00:00:00

Another example is to view all reports that are stored in a directory:

aureport –x

If you need a summary of events that occurred in the OS, add the –summary flag at the end.

The last popular option is to view “failed” operations. These include unsuccessful login to the OS, blocking, etc. You can view them like this:

aureport -u --failed --summary –i


Welcome to the world of DomainRooster, where roosters (and hens) rule the roost! We're a one-stop shop for all your entrepreneurial needs, bringing together domain names and website hosting, and all the tools you need to bring your ideas to life. With our help, you'll soar to new heights and hatch great success. Think of us as your trusty sidekick, always there to lend a wing and help you navigate the sometimes-complex world of domain names and web hosting. Our team of roosters are experts in their fields and are always on hand to answer any questions and provide guidance. So why wait? Sign up today and join the ranks of the world's greatest entrepreneurs. With DomainRooster, the sky's the limit! And remember, as the saying goes, "Successful people do what unsuccessful people are not willing to do." So don't be afraid to take that leap of faith - DomainRooster is here to help you reach for the stars. Caw on!