Logging, Monitoring and Auditing · Visibility

L14. The Audit Framework: Writing auditd Rules

Video generating

Check back soon for the video lesson on The Audit Framework: Writing auditd Rules

The Linux Audit framework provides kernel-level visibility into system activity that regular logging cannot match. Learn how to install auditd, write rules for file watches and syscall monitoring, and use ausearch and aureport to query audit trails.

What Is the Linux Audit System?

The Linux Audit system is a kernel-level framework that records security-relevant events. Unlike application-level logging (which depends on each program writing its own logs), auditd intercepts events at the kernel level. This means it can track:

File access and modification (even by root)
System call execution
User authentication events
Changes to system configuration files
Network connection attempts

If someone modifies /etc/shadow or runs a suspicious command, auditd can record exactly who did it, when, and from which process.

Installing and Starting auditd

# Debian/Ubuntu sudo apt install auditd audispd-plugins # RHEL/CentOS (usually pre-installed) sudo dnf install audit

# Start and enable the daemon sudo systemctl enable --now auditd

Audit Rules: Two Types

Audit rules come in two categories:

1. File Watch Rules (-w)

File watch rules monitor access to specific files or directories. They are the simplest type and the most commonly used.

# Watch /etc/passwd for any changes (write or attribute change) sudo auditctl -w /etc/passwd -p wa -k identity_changes # Watch /etc/shadow for any access (read, write, execute, attribute) sudo auditctl -w /etc/shadow -p rwxa -k shadow_access # Watch the sudoers file for modifications sudo auditctl -w /etc/sudoers -p wa -k sudoers_changes

# Watch a directory and all its contents sudo auditctl -w /etc/ssh/ -p wa -k ssh_config_changes

The flags after -p specify which operations to watch:

Flag	Operation
r	Read
w	Write
x	Execute
a	Attribute change (permissions, ownership)

The -k flag assigns a key (tag) to the rule, which makes searching audit logs much easier.

2. System Call Rules (-a)

Syscall rules are more granular. They watch for specific kernel system calls executed by specific users or processes.

# Log all commands executed by users with UID >= 1000 (non-system users) sudo auditctl -a always,exit -F arch=b64 -S execve -F auid>=1000 -F auid!=4294967295 -k user_commands # Log all failed file access attempts sudo auditctl -a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -k access_denied

# Log changes to user/group management commands sudo auditctl -w /usr/sbin/useradd -p x -k user_management sudo auditctl -w /usr/sbin/userdel -p x -k user_management

Making Rules Persistent

Rules added with auditctl are lost on reboot. To make them permanent, add them to the audit rules file:

# Edit the persistent rules file
sudo nano /etc/audit/rules.d/custom.rules

Add rules in the same syntax (without the auditctl command prefix):

# /etc/audit/rules.d/custom.rules # File watches -w /etc/passwd -p wa -k identity_changes -w /etc/shadow -p rwxa -k shadow_access -w /etc/sudoers -p wa -k sudoers_changes -w /etc/ssh/sshd_config -p wa -k ssh_config

# Syscall rules -a always,exit -F arch=b64 -S execve -F auid>=1000 -F auid!=4294967295 -k user_commands

Load the new rules:

sudo augenrules --load

Querying Audit Logs with ausearch

Audit logs are stored in /var/log/audit/audit.log. The raw format is machine-readable but not human-friendly. Use ausearch to query them:

# Search by key sudo ausearch -k identity_changes # Search by key and time range sudo ausearch -k shadow_access --start today # Search for events by a specific user (UID 1001) sudo ausearch -ua 1001 # Search for events related to a specific file sudo ausearch -f /etc/passwd

# Search for failed operations sudo ausearch --success no

Generating Reports with aureport

aureport summarizes audit data into readable reports:

# Summary of all audit events sudo aureport --summary # Report on authentication events sudo aureport --auth # Report on failed events sudo aureport --failed # Report on file access events sudo aureport --file

# Report on executed commands sudo aureport --exec

Monitoring Critical Files

At minimum, you should watch these files on every server:

File/Directory	Why
/etc/passwd	User account changes
/etc/shadow	Password hash changes
/etc/group	Group membership changes
/etc/sudoers and /etc/sudoers.d/	Privilege escalation config
/etc/ssh/sshd_config	SSH configuration changes
/etc/crontab and /etc/cron.d/	Scheduled task changes (persistence)

Attackers frequently target these files to create backdoor accounts, modify passwords, grant sudo access, or establish persistence through cron jobs.

Performance Considerations

Audit rules consume kernel resources. Overly broad rules (like watching all file reads system-wide) can cause significant performance degradation. Best practices:

Start with targeted file watches on critical files
Use syscall rules sparingly and with filters (UID, arch)
Monitor the audit log size and rotate it appropriately
Test rules in a non-production environment first

Exam Focus Points

✓auditd operates at the kernel level: it can track file access, syscalls, and user commands that application-level logging cannot see
✓File watch rules (-w) monitor specific files for read, write, execute, or attribute changes
✓The -k flag assigns a searchable key to rules, making it easy to query related events with ausearch -k
✓Persistent rules go in /etc/audit/rules.d/ and are loaded with augenrules --load
✓Critical files to monitor include /etc/passwd, /etc/shadow, /etc/sudoers, and /etc/ssh/sshd_config

Knowledge Check

1. What does the auditd rule "-w /etc/shadow -p wa -k shadow_access" do?

2. Which command would you use to find all audit events tagged with the key "sudoers_changes" that occurred today?

3. Why does auditd provide better security visibility than application-level logging alone?

Syslog and journald: Where Linux Logs Everything

File Integrity Monitoring with AIDE