auditctl: Linux Audit Rule Management

Overview

auditctl dynamically manages rules for the Linux audit system. These rules are defined at the kernel level and can be configured to log various events, including specific file accesses, system calls, and user activities. Audit logs are typically stored in the /var/log/audit/audit.log file.

Key Features

Add and delete audit rules
View a list of currently active audit rules
Monitor file and directory access
Monitor specific system calls
Configure user and group-based audit rules

Installation

auditctl is part of the 'audit' or 'auditd' package. If it's not installed by default on your Linux distribution, you can install it using the following commands.

Debian/Ubuntu

sudo apt update
sudo apt install auditd

Install auditctl on Debian or Ubuntu-based systems.

RHEL/CentOS/Fedora

sudo yum install audit
# or
sudo dnf install audit

Install auditctl on RHEL, CentOS, or Fedora-based systems.

After installation, you need to start and enable the auditd service: `sudo systemctl enable auditd --now`

Key Options

The auditctl command uses various options to define and manage audit rules.

Rule Management

Rule Definition

Generated command:

Try combining the commands.

Description:

`auditctl` Executes the command.

Combine the above options to virtually execute commands with AI.

Usage Examples

Various examples of setting up audit rules using auditctl.

List All Current Audit Rules

sudo auditctl -l

View all audit rules currently loaded in the kernel.

Monitor Changes to /etc/passwd

sudo auditctl -w /etc/passwd -p wa -k passwd_changes

Monitor all write (w) and attribute change (a) accesses to the /etc/passwd file and assign the key 'passwd_changes'.

Monitor Read Attempts on /etc/shadow

sudo auditctl -w /etc/shadow -p r -k shadow_read

Monitor read (r) attempts on the /etc/shadow file and assign the key 'shadow_read'.

Monitor File Creation/Deletion in /var/log Directory

sudo auditctl -a always,exit -F dir=/var/log -F perm=wa -S creat,unlink -k log_dir_changes

Monitor the creation (creat) and deletion (unlink) system calls for files within the /var/log directory. Assign the key 'log_dir_changes'.

Monitor File Deletion Attempts by a Specific User (UID)

sudo auditctl -a always,exit -F arch=b64 -S unlink -F auid=1000 -k user_file_delete

Monitor the unlink system call for files deleted by a user with UID 1000. Specify the 64-bit system architecture.

Delete All Audit Rules

sudo auditctl -D

Deletes all currently loaded audit rules. (Caution: Use with care.)

Delete Rules with a Specific Key

sudo auditctl -w /etc/passwd -p wa -k passwd_changes -d

Deletes rules with the key 'passwd_changes'. You must use the same options as when adding the rule.

Tips & Precautions

Useful tips and precautions when using auditctl.

Persisting Rules

Rules added with auditctl are lost upon system reboot. To make rules persistent, add them to the /etc/audit/rules.d/audit.rules file and apply them using 'augenrules --load' or 'systemctl restart auditd'.

Rule File: /etc/audit/rules.d/audit.rules
Apply Rules: sudo augenrules --load

Performance Impact

Setting too many audit rules or monitoring broad directories can impact system performance. It's recommended to configure only the necessary minimum rules and focus on critical paths.

Checking Log Files

Audit events are recorded in the /var/log/audit/audit.log file. Using ausearch and aureport commands is an efficient way to examine this log.

Specifying Architecture (-F arch=b64/b32)

When monitoring system calls, it's advisable to explicitly specify '-F arch=b64' for 64-bit systems and '-F arch=b32' for 32-bit systems, as system call numbers can differ between architectures.