Skip to content

Comprehensive Guide to Linux Server Auditing with auditctl|Wafatech

In today’s world of increasing security threats and regulatory requirements, auditing your Linux servers has become a necessity. Auditing helps ensure that unexpected changes aren’t made to your system, and it provides a record of system activity for compliance auditing. This article will guide you through using auditctl, a part of the Linux Auditing System, to effectively monitor your Linux server.

What is auditctl?

auditctl is a command-line utility used to control the Linux auditing system. It allows system administrators to configure audit rules that govern what events the audit daemon (auditd) will log. When properly configured, auditd listens for events such as file access, user authentication, and system calls, providing detailed records of what’s happening on your server.

Installing the Audit Daemon

Before diving into auditctl, make sure the Audit daemon is installed on your system. On most Linux distributions, you can install it using your package manager.

For Debian/Ubuntu:

sudo apt-get update

sudo apt-get install auditd audispd-plugin

For RHEL/CentOS:

sudo yum install audit

After installation, enable and start the audit daemon:

sudo systemctl enable auditd

sudo systemctl start auditd

Ensure that the service is running:

sudo systemctl status auditd

Basic Commands of auditctl
Check Current Audit Rules

To see what audit rules are currently in place, use:

sudo auditctl -l

Add an Audit Rule

To monitor a specific file or directory, you can add an audit rule. For example, to audit changes to the /etc/passwd file, you would run:

sudo auditctl -w /etc/passwd -p rwxa -k passwd_changes

  • -w specifies the watch file.
  • -p specifies the permissions to monitor (read, write, execute, attribute change).
  • -k assigns a key to the rule, enabling easier searches in logs.
Remove an Audit Rule

To remove a specific audit rule, you can issue:

sudo auditctl -d /etc/passwd -p rwxa -k passwd_changes

or

sudo auditctl -W /etc/passwd -p rwxa -k passwd_changes

Listing Log Entries

Logs generated by Auditd are stored in /var/log/audit/audit.log. You can use the ausearch command to filter and search through the generated logs. For instance:

sudo ausearch -k passwd_changes

More & posted from: https://wafatech.sa/blog/linux/linux-security/comprehensive-guide-to-linux-server-auditing-with-auditctl/#

Post Views: 15
Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

Exit mobile version