Docs / Security / How to Configure Linux Audit Framework (auditd) Rules

How to Configure Linux Audit Framework (auditd) Rules

By Admin · Mar 15, 2026 · Updated Apr 23, 2026 · 216 views · 3 min read

The Linux Audit Framework (auditd) provides comprehensive system auditing that logs security-relevant events — file access, system calls, user commands, and authentication events. It is essential for compliance (PCI-DSS, HIPAA, SOC 2) and forensic investigation.

Installing auditd

sudo apt install auditd audispd-plugins    # Ubuntu/Debian
sudo dnf install audit                      # AlmaLinux/Rocky

sudo systemctl enable --now auditd

Understanding Audit Rules

# Two types of rules:
# 1. File/directory watches (-w)
#    Watch a file for reads, writes, attribute changes, executes
# 2. System call rules (-a)
#    Log specific system calls with filters

# Rule flags:
# -w path        Watch a file/directory
# -p rwxa        Permissions to watch (read/write/execute/attribute)
# -k keyname     Tag for searching logs
# -a action,filter  System call rule

Essential Audit Rules

# /etc/audit/rules.d/audit.rules

# Monitor authentication files
-w /etc/passwd -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/gshadow -p wa -k identity

# Monitor sudoers
-w /etc/sudoers -p wa -k sudoers
-w /etc/sudoers.d/ -p wa -k sudoers

# Monitor SSH configuration
-w /etc/ssh/sshd_config -p wa -k sshd_config

# Monitor crontab files
-w /etc/crontab -p wa -k cron
-w /etc/cron.d/ -p wa -k cron
-w /var/spool/cron/ -p wa -k cron

# Monitor login/logout events
-w /var/log/lastlog -p wa -k logins
-w /var/log/faillog -p wa -k logins

# Monitor system startup scripts
-w /etc/init.d/ -p wa -k init
-w /etc/systemd/ -p wa -k systemd

# Monitor kernel modules
-w /sbin/insmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-w /sbin/rmmod -p x -k modules

# Monitor privilege escalation
-a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation

# Monitor file deletion
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -k file_deletion

# Make the configuration immutable (requires reboot to change)
-e 2

Searching Audit Logs

# Search by key
ausearch -k identity

# Search by time range
ausearch -ts today -te now -k identity

# Search by user
ausearch -ua 1000

# Search for specific events
ausearch -m USER_LOGIN -ts today

# Generate a summary report
aureport --summary

# Authentication report
aureport -au

# File access report
aureport -f

# System call report
aureport -s

Real-Time Monitoring

# Watch audit events in real time
tail -f /var/log/audit/audit.log

# Use autrace to trace a specific command
autrace /usr/bin/ls /etc
ausearch -ts recent -p $(pidof ls)

Performance Considerations

  • Audit rules add overhead — be selective about what you audit
  • Use key tags (-k) to make log searching efficient
  • Set log rotation to prevent disk space issues
  • Consider sending logs to a remote SIEM

Was this article helpful?

Related Articles