The Linux Audit Daemon (auditd) is a crucial security service that logs system events. This page provides essential commands and guidance for managing auditd, configuring rules, and analyzing logs to enhance your system's security posture.

Auditd Service Management

Control the auditd service using standard system service commands. This section covers starting, stopping, and restarting the daemon.

# To start/restart/stop auditd
service auditd start/restart/stop

Managing Audit Rules

Audit rules define what events are logged. Learn how to view existing rules and create new ones, both temporarily and permanently.

Listing Active Audit Rules

# To list active audit rules
auditctl -l

Creating Temporary Watch Rules

Temporarily monitor a file for specific permissions. This is useful for testing or short-term analysis.

# To create a watch rule for a file for audit purposes temporarily
auditctl -w <File to watch> -p <permission r/w/x/a> -k <Identifier>

Creating Permanent Watch Rules

To ensure your audit rules persist across reboots, configure them in the audit rules file.

vim /etc/audit/rules.d/audit.rules
# and append with following syntax
-w <File to watch> -p <permission r/w/x/a> -k <Identifier>
# Reload the service with
service auditd reload

Filtering and Searching Audit Logs

Effectively search and analyze the logs generated by auditd. This section covers using ausearch and aureport.

Searching Logs by Identifier

Use the ausearch command to find specific events based on the identifiers you defined in your rules.

# To search after a identifier
ausearch -i -k <Identifier>

Generating Audit Reports

The aureport command is powerful for generating various types of security reports from audit logs.

# To create a report and get the options
aureport --help

Further Resources

For more in-depth information on auditd and its capabilities, refer to the official Linux audit documentation.

• auditd Man Page
• Red Hat Auditd Service Guide
• Linux Kernel Audit Documentation