auditd
The Linux audit subsystem records a tamper-evident log of security events: who opened which file, which syscalls were made, when someone used sudo, what commands were run as root. auditd is the user-space daemon that collects these kernel events and writes them to disk. Required for PCI-DSS, HIPAA, and most security compliance frameworks.
How auditd Works
Audit subsystem architecture:
Kernel audit module
|
| (netlink socket)
|
auditd daemon ──writes──→ /var/log/audit/audit.log
|
└── dispatcher (audispd) ──→ plugins (syslog, remote logging)
# Start/stop:
systemctl start auditd
systemctl enable auditd
# Audit log location:
cat /var/log/audit/audit.log | head -5
# type=SYSCALL msg=audit(1234567890.123:456): arch=c000003e syscall=2
# success=yes exit=3 a0=7f... a1=0 a2=1b6 a3=0 items=1 ppid=1234
# pid=5678 auid=1000 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0
# comm="cat" exe="/usr/bin/cat" key="sensitive_files"
Writing Audit Rules
# Add rules with auditctl:
# Watch a file for reads and writes:
auditctl -w /etc/passwd -p rwa -k passwd_access
# -w = watch path
# -p = permissions to log (r=read, w=write, a=attr, x=execute)
# -k = key name (for searching later)
# Watch a directory recursively:
auditctl -w /etc/sudoers.d/ -p wa -k sudoers_changes
# Audit a specific syscall:
auditctl -a always,exit -F arch=b64 -S execve -k program_execution
# -a always,exit = log every time this syscall exits
# -F arch=b64 = 64-bit architecture
# -S execve = syscall: execute a program
# -k key = tag for searching
# Audit failed access attempts:
auditctl -a always,exit -F arch=b64 -S open -F exit=-EACCES -k access_denied
# Watch for privilege escalation:
auditctl -a always,exit -F arch=b64 -S setuid -S setgid -k privilege_change
# Make rules permanent (/etc/audit/rules.d/):
# /etc/audit/rules.d/99-local.rules:
# -w /etc/passwd -p rwa -k passwd_access
# -w /etc/ssh/sshd_config -p wa -k sshd_config
# Apply persistent rules:
augenrules --load
Searching Audit Logs
# ausearch — query audit logs
ausearch -k passwd_access # by key
ausearch -m SYSCALL -ts today # today's syscall events
ausearch -ua 1000 # events for UID 1000
ausearch -m LOGIN -ts recent # recent logins
# Filter by time:
ausearch -ts 08/01/2024 12:00:00 -te 08/01/2024 13:00:00
# Human-readable output:
ausearch -k passwd_access -i
# time->Mon Jan 15 12:34:56 2024
# type=SYSCALL msg=audit...: arch=x86_64 syscall=openat success=yes
# pid=5678 uid=root auid=admin(1000) comm="cat" exe=/usr/bin/cat key=passwd_access
# aureport — summary reports
aureport --summary # overall summary
aureport --failed # failed events
aureport --login # login events
aureport --auth # authentication events
aureport --syscall # syscall summary
aureport -x --summary # executable summary (who ran what)
Pre-built Compliance Rule Sets
# auditd ships with compliance rule sets:
ls /usr/share/audit/sample-rules/
# 10-base-config.rules
# 30-pci-dss-v31.rules ← PCI-DSS
# 30-nispom.rules ← NSA information system rules
# 30-stig.rules ← DISA STIG (government hardening)
# 31-privileged.rules ← log all privileged commands
# Load STIG rules:
cp /usr/share/audit/sample-rules/30-stig.rules /etc/audit/rules.d/
augenrules --load
# STIG rules cover:
# - All privileged command executions (sudo, su, passwd, etc.)
# - User/group modifications
# - Network configuration changes
# - Kernel module loading
# - Failed login attempts
Frequently Asked Questions
What will I learn here?
This page covers the core concepts and techniques you need to understand the topic and progress confidently to the next lesson.
How should I use this page?
Start with the overview, then follow the section links to deepen your understanding. Use the table of contents on the right to jump to specific sections.
What should I read next?
Use the navigation below to continue to the next lesson or explore related topics.