Docs / Security / Audit Logging with auditd on Linux

Audit Logging with auditd on Linux

By Admin · Feb 25, 2026 · Updated Apr 23, 2026 · 30 views · 1 min read

What is auditd?

The Linux Audit Daemon tracks security-relevant events: file access, command execution, authentication attempts, and system calls. It provides a tamper-resistant audit trail for compliance and forensics.

Installation

sudo apt install -y auditd audispd-plugins
sudo systemctl enable --now auditd

Add Audit Rules

# Watch sensitive files
sudo auditctl -w /etc/passwd -p wa -k identity
sudo auditctl -w /etc/shadow -p wa -k identity
sudo auditctl -w /etc/sudoers -p wa -k sudo_changes
sudo auditctl -w /etc/ssh/sshd_config -p wa -k sshd_config

# Watch web directory for changes
sudo auditctl -w /var/www/html -p wa -k web_changes

# Monitor command execution by root
sudo auditctl -a always,exit -F arch=b64 -S execve -F uid=0 -k root_commands

Persistent Rules

Add rules to /etc/audit/rules.d/custom.rules:

-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /var/www/html -p wa -k web_changes
sudo augenrules --load

Searching Audit Logs

# Search by key
sudo ausearch -k identity

# Recent events
sudo ausearch -ts recent

# Events by user
sudo ausearch -ua 1000

# Generate report
sudo aureport --summary

Was this article helpful?

Related Articles