Set up the Linux audit system with auditd to monitor file access, user activities, and system calls for security compliance. Learn to create audit rules, analyze logs, and track privilege escalations.
Prerequisites
- Root or sudo access
- Basic understanding of Linux file permissions
- Familiarity with systemd services
What this solves
The Linux audit system provides detailed monitoring of system activities, file access, and security events required for compliance frameworks like PCI-DSS, SOX, and HIPAA. The auditd daemon records security-relevant events to tamper-resistant logs that can detect unauthorized access, privilege escalations, and policy violations.
Step-by-step installation
Update system packages
Start by updating your package manager to ensure you get the latest security patches and audit tools.
sudo apt update && sudo apt upgrade -yInstall audit packages
Install the audit daemon and utilities for managing audit rules and analyzing logs.
sudo apt install -y auditd audispd-pluginsEnable and start auditd service
Start the audit daemon and enable it to start automatically on boot. The auditd service runs with high priority to ensure audit events are captured.
sudo systemctl enable auditd
sudo systemctl start auditd
sudo systemctl status auditdConfigure audit buffer and log retention
Set audit buffer size and log retention policies in the main configuration file. This prevents audit events from being dropped during high activity periods.
# Log file location and rotation
log_file = /var/log/audit/audit.log
num_logs = 5
max_log_file = 50
max_log_file_action = ROTATE
Buffer settings to prevent event loss
space_left = 100
space_left_action = SYSLOG
admin_space_left = 50
admin_space_left_action = SUSPEND
Disk full actions
disk_full_action = SUSPEND
disk_error_action = SUSPEND
Kernel audit buffer
freq = 20Create file and directory monitoring rules
Set up audit rules to monitor sensitive files and directories. These rules track who accesses critical system files and configuration directories.
# Monitor sensitive system files
-w /etc/passwd -p wa -k user_accounts
-w /etc/group -p wa -k user_accounts
-w /etc/shadow -p wa -k user_accounts
-w /etc/sudoers -p wa -k privilege_escalation
-w /etc/sudoers.d/ -p wa -k privilege_escalation
Monitor SSH configuration
-w /etc/ssh/sshd_config -p wa -k ssh_config
-w /root/.ssh -p wa -k root_ssh_access
Monitor system configuration
-w /etc/hosts -p wa -k network_config
-w /etc/hostname -p wa -k system_config
-w /etc/fstab -p wa -k filesystem_config
Monitor critical directories
-w /home -p wa -k user_home_access
-w /tmp -p wa -k temporary_files
-w /var/tmp -p wa -k temporary_filesConfigure user activity and privilege monitoring
Create rules to monitor user authentication, privilege escalations, and administrative actions. This tracks sudo usage and user account changes.
# Monitor authentication events
-w /var/log/auth.log -p wa -k authentication
-w /var/log/secure -p wa -k authentication
Monitor sudo usage
-a always,exit -F arch=b64 -S execve -F euid=0 -F auid!=0 -k privilege_escalation
-a always,exit -F arch=b32 -S execve -F euid=0 -F auid!=0 -k privilege_escalation
Monitor user and group modifications
-w /usr/sbin/useradd -p x -k user_modification
-w /usr/sbin/usermod -p x -k user_modification
-w /usr/sbin/userdel -p x -k user_modification
-w /usr/sbin/groupadd -p x -k group_modification
-w /usr/sbin/groupmod -p x -k group_modification
-w /usr/sbin/groupdel -p x -k group_modification
Monitor password changes
-w /usr/bin/passwd -p x -k password_modification
-w /usr/bin/chsh -p x -k user_shell_modificationSet up system call monitoring
Configure audit rules for security-relevant system calls like file permissions changes, network connections, and process execution.
# Monitor file permission changes
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -k file_permissions
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -k file_permissions
-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -k file_ownership
-a always,exit -F arch=b32 -S chown,fchown,lchown,fchownat -k file_ownership
Monitor file deletions
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -k file_deletion
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -k file_deletion
Monitor network connections
-a always,exit -F arch=b64 -S socket,connect,bind -k network_activity
-a always,exit -F arch=b32 -S socket,connect,bind -k network_activity
Monitor process execution
-a always,exit -F arch=b64 -S execve -k process_execution
-a always,exit -F arch=b32 -S execve -k process_executionConfigure log immutability
Make the audit configuration immutable to prevent tampering. This rule must be added last and prevents further rule modifications without a reboot.
# Make audit configuration immutable
-e 2Load audit rules and restart service
Apply the new audit rules by restarting the auditd service. The immutable rule requires a service restart to take effect.
sudo auditctl -R /etc/audit/rules.d/file-monitoring.rules
sudo auditctl -R /etc/audit/rules.d/user-activity.rules
sudo auditctl -R /etc/audit/rules.d/system-calls.rules
sudo systemctl restart auditdConfigure log rotation
Set up proper log rotation for audit logs to prevent disk space issues while maintaining compliance retention requirements.
/var/log/audit/audit.log {
weekly
rotate 52
compress
delaycompress
missingok
notifempty
create 0640 root root
postrotate
/sbin/service auditd restart 2> /dev/null || true
endscript
}Verify your setup
Test the audit configuration and verify that events are being logged correctly.
# Check audit service status
sudo systemctl status auditd
List active audit rules
sudo auditctl -l
Test file monitoring by creating a test file
sudo touch /etc/test-audit-file
sudo chmod 755 /etc/test-audit-file
sudo rm /etc/test-audit-file
Search for the test events
sudo ausearch -k file_permissions -ts recent
sudo ausearch -k system_config -ts recentAnalyzing audit logs
Generate audit reports
Use aureport to generate summary reports of audit activity. These reports help identify patterns and compliance violations.
# Generate daily summary report
sudo aureport --start today
Authentication report
sudo aureport --auth --summary
File access report
sudo aureport --file --summary
User activity report
sudo aureport --user --summary
Failed events report
sudo aureport --failedSearch audit logs
Use ausearch to find specific audit events by time, user, file, or keyword. This helps investigate security incidents.
# Search for events by user
sudo ausearch -ua root --start today
Search for privilege escalation events
sudo ausearch -k privilege_escalation --start today
Search for file access events
sudo ausearch -k user_accounts --start today
Search for failed authentication
sudo ausearch --message USER_AUTH --success no
Search by process ID
sudo ausearch -p 1234Set up automated monitoring alerts
Create scripts to monitor audit logs for suspicious activity and send alerts. This provides real-time security monitoring.
#!/bin/bash
Check for privilege escalation in last hour
if sudo ausearch -k privilege_escalation --start recent | grep -q "type=SYSCALL"; then
echo "ALERT: Privilege escalation detected" | logger -p auth.warning
fi
Check for failed authentication attempts
if sudo ausearch --message USER_AUTH --success no --start recent | grep -q "type=USER_AUTH"; then
echo "ALERT: Failed authentication attempts detected" | logger -p auth.warning
fi
Check for file permission changes
if sudo ausearch -k file_permissions --start recent | grep -q "type=SYSCALL"; then
echo "INFO: File permissions changed" | logger -p auth.info
fisudo chmod +x /usr/local/bin/audit-monitor.shCreate systemd timer for monitoring
Set up automatic execution of the audit monitoring script using systemd timers.
[Unit]
Description=Audit Log Monitor
[Service]
Type=oneshot
ExecStart=/usr/local/bin/audit-monitor.sh
User=root[Unit]
Description=Run audit monitor every 15 minutes
Requires=audit-monitor.service
[Timer]
OnCalendar=*:0/15
Persistent=true
[Install]
WantedBy=timers.targetsudo systemctl daemon-reload
sudo systemctl enable --now audit-monitor.timer
sudo systemctl status audit-monitor.timerCommon issues
| Symptom | Cause | Fix |
|---|---|---|
| Audit service fails to start | Configuration syntax error | sudo auditctl -l to check rules syntax |
| No audit events logged | Audit rules not loaded | sudo auditctl -R /etc/audit/rules.d/*.rules |
| Disk space issues | Log rotation not configured | Configure logrotate and set max_log_file size |
| High CPU usage | Too many audit rules | Optimize rules, increase buffer size in auditd.conf |
| Cannot modify rules | Immutable mode enabled | Reboot system or remove -e 2 rule and restart |
| Ausearch returns no results | Wrong time format | Use --start today or --start recent instead of timestamps |