auditctl: Linux audit rule management

Overview

auditctl dynamically manages rules for the Linux audit system. These rules are defined at the kernel level and can be configured to log various events such as specific file access, system calls, and user activities. Audit logs are typically stored in the /var/log/audit/audit.log file.

Key Features

Add and delete audit rules
View a list of currently active audit rules
Monitor file and directory access
Monitor specific system calls
Configure user and group-based audit rules

Installation

auditctl is part of the 'audit' or 'auditd' package. If it's not installed by default on your Linux distribution, you can install it using the following commands.

Debian/Ubuntu

sudo apt update
sudo apt install auditd

Install auditctl on Debian or Ubuntu-based systems.

RHEL/CentOS/Fedora

sudo yum install audit
# or
sudo dnf install audit

Install auditctl on RHEL, CentOS, or Fedora-based systems.

After installation, you need to start and enable the auditd service: `sudo systemctl enable auditd --now`

Key Options

The auditctl command uses various options to define and manage audit rules.

Rule Management

Rule Definition

Gegenereerde opdracht:

Probeer de opdrachtcombinaties.

Uitleg:

`auditctl` Voer het commando uit.

Combineer deze opties en voer de opdracht virtueel uit met de AI.

Usage Examples

Various examples of setting up audit rules using auditctl.

List All Current Audit Rules

sudo auditctl -l

Check all audit rules currently loaded in the kernel.

Monitor Changes to /etc/passwd

sudo auditctl -w /etc/passwd -p wa -k passwd_changes

Monitor all write (w) and attribute change (a) access to the /etc/passwd file and assign the key 'passwd_changes'.

Monitor Read Attempts on /etc/shadow

sudo auditctl -w /etc/shadow -p r -k shadow_read

Monitor read (r) attempts on the /etc/shadow file and assign the key 'shadow_read'.

Monitor File Creation/Deletion in /var/log

sudo auditctl -a always,exit -F dir=/var/log -F perm=wa -S creat,unlink -k log_dir_changes

Monitor file creation (creat) and deletion (unlink) system calls within the /var/log directory. Assign the key 'log_dir_changes'.

Monitor Specific User (UID) File Deletion Attempts

sudo auditctl -a always,exit -F arch=b64 -S unlink -F auid=1000 -k user_file_delete

Monitor the unlink system call for file deletions by a user with UID 1000. Specify the 64-bit system architecture.

Delete All Audit Rules

sudo auditctl -D

Deletes all currently loaded audit rules. (Caution: Use with care.)

Delete Rule with a Specific Key

sudo auditctl -w /etc/passwd -p wa -k passwd_changes -d

Deletes rules with the key 'passwd_changes'. You must use the same options as when adding the rule.

Tips & Precautions

Useful tips and precautions when using auditctl.

Persistent Rule Storage

Rules added with auditctl disappear upon system reboot. To make rules persistent, add them to the /etc/audit/rules.d/audit.rules file and apply them using 'augenrules --load' or 'systemctl restart auditd'.

Rule File: /etc/audit/rules.d/audit.rules
Apply Rules: sudo augenrules --load

Performance Impact

Setting too many audit rules or monitoring extensive directories can impact system performance. It is recommended to configure only the necessary minimum rules and focus on critical paths.

Checking Log Files

Audit events are recorded in the /var/log/audit/audit.log file. Using ausearch and aureport commands is an efficient way to check these logs.

Specify Architecture (-F arch=b64/b32)

When monitoring system calls, it is advisable to explicitly specify '-F arch=b64' for 64-bit systems and '-F arch=b32' for 32-bit systems, as system call numbers can differ between architectures.