BestHub
Sign in
Information Security 9 min read

Master Linux auditd: Install, Configure, and Analyze Auditing Rules

This guide explains what auditd is, how to install it on Ubuntu, configure file and directory monitoring rules, view audit logs with ausearch, generate reports with aureport, and manage the auditd service for effective Linux security auditing.

MaGe Linux Operations
MaGe Linux Operations
MaGe Linux Operations
Master Linux auditd: Install, Configure, and Analyze Auditing Rules

What is auditd?

auditd (the audit daemon) is a user‑space component of the Linux Auditing System that writes audit records to disk.

Installing auditd

On Ubuntu you can install auditd using apt‑get or the wajig tool.

auditctl: controls the daemon in real time, e.g., adding rules.

/etc/audit/audit.rules: file that stores audit rules.

aureport: generates audit reports.

ausearch: searches audit events.

auditspd: forwards events to other applications.

autrace: tracks processes.

/etc/audit/auditd.conf: configuration file for auditd.

After the first installation the audit rule set is empty.

Viewing current rules

$ sudo auditctl -l

How to use auditd

File and directory access auditing

To monitor changes to files or directories, use auditctl with root privileges.

File auditing example

$ sudo auditctl -w /etc/passwd -p rwxa

Options:

-w path: specifies the path to monitor (e.g., /etc/passwd).

-p: sets the permissions that trigger an audit.

rwxa: r = read, w = write, x = execute, a = attribute change.

Directory auditing example

$ sudo auditctl -w /production/

This monitors all accesses to the /production directory.

Run auditctl -l to list all configured rules.

Viewing audit logs

After adding rules, use ausearch to query the logs. For example, to view events for /etc/passwd: $ sudo ausearch -f /etc/passwd The output includes fields such as time, name, cwd, syscall, auid, uid/gid, comm, and exe, which describe when and how the file was accessed.

Generating audit reports

The aureport tool creates summary reports from the audit log. $ sudo aureport Running aureport -au shows detailed authentication failures, and aureport -m lists all modification events.

Persisting audit rules

Add your rules to /etc/audit/audit.rules to make them permanent, then restart the auditd service: # /etc/init.d/auditd restart or

# service auditd restart

Conclusion

auditd is a powerful Linux auditing tool. Consult the manual pages ( man auditd, man ausearch) for detailed options, and create rules carefully to avoid excessive log growth.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

LinuxSecurityAuditdsystem auditingauditctlausearch
MaGe Linux Operations
Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment