Set up comprehensive audit logging with auditd daemon to track file system changes, process execution, and network connections for security compliance and forensic analysis.
Prerequisites
- Root or sudo access
- Basic understanding of Linux system administration
- Email server configured for report notifications (optional)
What this solves
Linux audit logging provides comprehensive tracking of system activities including file access, process execution, network connections, and user actions. This tutorial configures auditd daemon for security compliance frameworks like PCI DSS, SOX, and HIPAA that require detailed activity monitoring and forensic capabilities.
Step-by-step installation
Update system packages
Start by updating your package manager to ensure you get the latest versions of audit tools.
sudo apt update && sudo apt upgrade -yInstall audit daemon and tools
Install auditd daemon and audit tools for log analysis and rule management.
sudo apt install -y auditd audispd-plugins auditConfigure audit daemon settings
Configure the main auditd daemon settings for log location, size limits, and behavior when disk space is low.
# Log file location
log_file = /var/log/audit/audit.log
Log file size in MB (default 6MB)
max_log_file = 50
Number of log files to keep
num_logs = 10
Action when log file reaches max size
max_log_file_action = rotate
Action when disk space is low
space_left_action = email
action_mail_acct = root@example.com
Action when disk is full
disk_full_action = suspend
Format for timestamp
log_format = enriched
Enable kernel audit messages
local_events = yes
write_logs = yes
Priority for auditd process
priority_boost = 4
Flush audit records to disk
flush = incremental_async
Frequency of flushing
freq = 50Set up file system monitoring rules
Create audit rules to monitor critical system files and directories for unauthorized changes.
# Monitor sensitive system files
-w /etc/passwd -p wa -k user_accounts
-w /etc/shadow -p wa -k user_accounts
-w /etc/group -p wa -k user_accounts
-w /etc/sudoers -p wa -k privilege_escalation
-w /etc/sudoers.d/ -p wa -k privilege_escalation
Monitor system configuration
-w /etc/ssh/sshd_config -p wa -k ssh_config
-w /etc/hosts -p wa -k network_config
-w /etc/hostname -p wa -k network_config
-w /etc/resolv.conf -p wa -k network_config
Monitor boot and kernel
-w /boot/ -p wa -k boot_files
-w /etc/grub.conf -p wa -k boot_files
-w /etc/grub2.cfg -p wa -k boot_files
Monitor cron jobs
-w /etc/cron.allow -p wa -k cron_config
-w /etc/cron.deny -p wa -k cron_config
-w /etc/cron.d/ -p wa -k cron_config
-w /etc/cron.daily/ -p wa -k cron_config
-w /etc/cron.hourly/ -p wa -k cron_config
-w /etc/cron.monthly/ -p wa -k cron_config
-w /etc/cron.weekly/ -p wa -k cron_config
-w /var/spool/cron/ -p wa -k cron_config
Monitor system logs
-w /var/log/auth.log -p wa -k auth_logs
-w /var/log/secure -p wa -k auth_logs
-w /var/log/messages -p wa -k system_logsConfigure process and system call monitoring
Set up rules to monitor process execution, privilege escalation, and system calls that could indicate malicious activity.
# Monitor privilege escalation
-a always,exit -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -k privilege_escalation
-a always,exit -F arch=b32 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -k privilege_escalation
Monitor sudo usage
-a always,exit -F arch=b64 -S execve -F path=/usr/bin/sudo -k sudo_usage
-a always,exit -F arch=b32 -S execve -F path=/usr/bin/sudo -k sudo_usage
Monitor process termination
-a always,exit -F arch=b64 -S kill -k process_termination
-a always,exit -F arch=b32 -S kill -k process_termination
Monitor file permission changes
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k permission_changes
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k permission_changes
Monitor file ownership changes
-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k ownership_changes
-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k ownership_changes
Monitor file deletion
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=-1 -k file_deletion
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=-1 -k file_deletion
Monitor kernel module operations
-w /sbin/insmod -p x -k kernel_modules
-w /sbin/rmmod -p x -k kernel_modules
-w /sbin/modprobe -p x -k kernel_modules
-a always,exit -F arch=b64 -S init_module,delete_module -k kernel_modules
-a always,exit -F arch=b32 -S init_module,delete_module -k kernel_modulesSet up network monitoring rules
Configure audit rules to track network connections and socket operations for security analysis.
# Monitor network connections
-a always,exit -F arch=b64 -S socket -F a0=2 -k network_connections
-a always,exit -F arch=b32 -S socket -F a0=2 -k network_connections
-a always,exit -F arch=b64 -S socket -F a0=10 -k network_connections
-a always,exit -F arch=b32 -S socket -F a0=10 -k network_connections
Monitor bind operations
-a always,exit -F arch=b64 -S bind -k network_bind
-a always,exit -F arch=b32 -S bind -k network_bind
Monitor connect operations
-a always,exit -F arch=b64 -S connect -k network_connect
-a always,exit -F arch=b32 -S connect -k network_connect
Monitor network configuration changes
-w /etc/network/interfaces -p wa -k network_config
-w /etc/sysconfig/network-scripts/ -p wa -k network_config
-w /etc/netplan/ -p wa -k network_config
Monitor firewall changes
-w /sbin/iptables -p x -k firewall_changes
-w /sbin/ip6tables -p x -k firewall_changes
-w /usr/sbin/ufw -p x -k firewall_changes
-w /usr/sbin/firewall-cmd -p x -k firewall_changesConfigure immutable audit rules
Set the audit configuration as immutable to prevent tampering with audit rules during runtime.
# Make audit configuration immutable
This must be the last rule in the configuration
-e 2Set up log rotation for audit logs
Configure logrotate to manage audit log files and prevent disk space issues.
/var/log/audit/*.log {
daily
rotate 30
compress
delaycompress
missingok
notifempty
create 640 root root
postrotate
/sbin/service auditd restart 2> /dev/null || true
endscript
}Enable and start audit daemon
Enable auditd to start automatically on boot and start the service immediately.
sudo systemctl enable auditd
sudo systemctl start auditd
sudo systemctl status auditdLoad audit rules
Load the audit rules and verify they are active in the kernel.
sudo auditctl -R /etc/audit/rules.d/
sudo auditctl -lVerify your setup
Test that audit logging is working correctly by checking service status and generating test events.
# Check auditd service status
sudo systemctl status auditd
Verify audit rules are loaded
sudo auditctl -s
sudo auditctl -l | head -20
Check audit log location and permissions
ls -la /var/log/audit/
Generate test events
sudo touch /tmp/audit_test
sudo chmod 777 /tmp/audit_test
sudo rm /tmp/audit_test
Search for test events in audit logs
sudo ausearch -k file_deletion -ts recent
sudo ausearch -k permission_changes -ts recentAnalyze audit logs
Use audit tools to search and analyze logged events for security monitoring and compliance reporting.
Search audit logs by event type
Use ausearch to find specific types of security events in the audit logs.
# Search for privilege escalation events
sudo ausearch -k privilege_escalation -ts today
Search for file permission changes
sudo ausearch -k permission_changes -ts today
Search for user account modifications
sudo ausearch -k user_accounts -ts today
Search for network connections
sudo ausearch -k network_connections -ts today
Search for sudo usage
sudo ausearch -k sudo_usage -ts todayGenerate compliance reports
Create formatted reports from audit logs for compliance documentation and security analysis.
# Generate daily activity report
sudo aureport -ts today
Generate user activity summary
sudo aureport -u -ts today
Generate file access report
sudo aureport -f -ts today
Generate executable report
sudo aureport -x -ts today
Generate login report
sudo aureport -l -ts todaySet up automated compliance reporting
Create a script to generate daily audit reports and email them to security teams. This integrates well with encrypted backup strategies for long-term audit retention.
#!/bin/bash
Daily audit report generation
REPORT_DATE=$(date +%Y-%m-%d)
REPORT_FILE="/tmp/audit-report-${REPORT_DATE}.txt"
EMAIL="security@example.com"
echo "Audit Report for ${REPORT_DATE}" > "${REPORT_FILE}"
echo "===============================" >> "${REPORT_FILE}"
echo "" >> "${REPORT_FILE}"
echo "System Activity Summary:" >> "${REPORT_FILE}"
sudo aureport -ts today >> "${REPORT_FILE}"
echo "" >> "${REPORT_FILE}"
echo "User Activity:" >> "${REPORT_FILE}"
sudo aureport -u -ts today >> "${REPORT_FILE}"
echo "" >> "${REPORT_FILE}"
echo "Privilege Escalation Events:" >> "${REPORT_FILE}"
sudo ausearch -k privilege_escalation -ts today >> "${REPORT_FILE}" 2>/dev/null || echo "No events found" >> "${REPORT_FILE}"
echo "" >> "${REPORT_FILE}"
echo "File Permission Changes:" >> "${REPORT_FILE}"
sudo ausearch -k permission_changes -ts today >> "${REPORT_FILE}" 2>/dev/null || echo "No events found" >> "${REPORT_FILE}"
echo "" >> "${REPORT_FILE}"
Send report via email
if command -v mail >/dev/null 2>&1; then
cat "${REPORT_FILE}" | mail -s "Daily Audit Report - ${REPORT_DATE}" "${EMAIL}"
fi
Clean up
rm -f "${REPORT_FILE}"sudo chmod 755 /usr/local/bin/audit-report.shSchedule automated reports
Set up a cron job to run daily audit reports automatically. This works well with systemd timer configuration for more advanced scheduling.
sudo crontab -e# Daily audit report at 6 AM
0 6 * /usr/local/bin/audit-report.shWarning: Once audit rules are set to immutable with "-e 2", you cannot modify them without rebooting. Use "-e 1" for testing and "-e 2" only in production.
Configure centralized audit logging
For enterprise environments, configure audit logs to be sent to a central logging server for aggregation and analysis. This integrates with ELK Stack deployments for comprehensive log management.
Configure audisp for log forwarding
Set up the audit dispatcher to forward logs to remote syslog servers.
active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO
format = stringConfigure rsyslog for audit forwarding
Configure rsyslog to forward audit messages to a central log server.
# Forward audit logs to central server
$ModLoad imuxsock
$SystemLogSocketName /run/systemd/journal/syslog
Forward all audit logs to remote server
local6.* @@logserver.example.com:514
Also log locally
local6.* /var/log/audit-remote.logsudo systemctl restart rsyslogCommon issues
| Symptom | Cause | Fix |
|---|---|---|
| auditd fails to start | Invalid rule syntax | sudo auditctl -R /etc/audit/rules.d/ to test rules |
| Audit logs filling disk | No log rotation configured | Configure logrotate and set max_log_file_action |
| Rules not loading on boot | Rules not in /etc/audit/rules.d/ | Move rules to rules.d directory and restart auditd |
| Cannot modify rules | Audit system set to immutable | Reboot system or remove "-e 2" rule |
| High CPU usage | Too many audit rules | Reduce rule scope and use specific file paths |
| Missing network events | Architecture-specific rules missing | Include both b32 and b64 rules for syscalls |
| Permission denied on logs | Incorrect log file permissions | sudo chmod 640 /var/log/audit/* |
Next steps
- Set up centralized log aggregation with ELK Stack for advanced audit log analysis
- Configure OSSEC HIDS to complement audit logging with intrusion detection
- Integrate audit logs with SIEM platforms for enterprise security monitoring
- Create Grafana dashboards for visual audit log analysis
- Automate audit configuration across multiple servers with Ansible
Automated install script
Run this to automate the entire setup
install.sh
#!/usr/bin/env bash
set -euo pipefail
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
# Configuration
AUDITD_CONF="/etc/audit/auditd.conf"
AUDIT_RULES="/etc/audit/rules.d/custom.rules"
BACKUP_DIR="/opt/audit-backup-$(date +%Y%m%d-%H%M%S)"
# Functions
log_info() {
echo -e "${BLUE}[INFO]${NC} $1"
}
log_success() {
echo -e "${GREEN}[SUCCESS]${NC} $1"
}
log_warning() {
echo -e "${YELLOW}[WARNING]${NC} $1"
}
log_error() {
echo -e "${RED}[ERROR]${NC} $1"
}
cleanup() {
if [ -d "$BACKUP_DIR" ]; then
log_warning "Installation failed. Restoring from backup..."
if [ -f "$BACKUP_DIR/auditd.conf" ]; then
cp "$BACKUP_DIR/auditd.conf" "$AUDITD_CONF"
fi
if [ -f "$BACKUP_DIR/custom.rules" ]; then
cp "$BACKUP_DIR/custom.rules" "$AUDIT_RULES"
fi
systemctl restart auditd 2>/dev/null || service auditd restart 2>/dev/null || true
fi
exit 1
}
trap cleanup ERR
usage() {
echo "Usage: $0 [EMAIL]"
echo " EMAIL: Email address for audit alerts (default: root@localhost)"
exit 1
}
# Parse arguments
EMAIL=${1:-"root@localhost"}
if [[ "$EMAIL" =~ ^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$ ]]; then
log_info "Using email: $EMAIL"
else
log_error "Invalid email format: $EMAIL"
usage
fi
# Check if running as root
if [[ $EUID -ne 0 ]]; then
log_error "This script must be run as root"
exit 1
fi
# Detect distribution
if [ -f /etc/os-release ]; then
. /etc/os-release
case "$ID" in
ubuntu|debian)
PKG_MGR="apt"
PKG_INSTALL="apt install -y"
PKG_UPDATE="apt update && apt upgrade -y"
AUDIT_PACKAGES="auditd audispd-plugins"
;;
almalinux|rocky|centos|rhel|ol|fedora)
PKG_MGR="dnf"
PKG_INSTALL="dnf install -y"
PKG_UPDATE="dnf update -y"
AUDIT_PACKAGES="audit audit-libs"
;;
amzn)
PKG_MGR="yum"
PKG_INSTALL="yum install -y"
PKG_UPDATE="yum update -y"
AUDIT_PACKAGES="audit audit-libs"
;;
*)
log_error "Unsupported distribution: $ID"
exit 1
;;
esac
else
log_error "Cannot detect distribution"
exit 1
fi
log_info "Detected distribution: $ID"
# Create backup directory
echo "[1/6] Creating backup directory..."
mkdir -p "$BACKUP_DIR"
if [ -f "$AUDITD_CONF" ]; then
cp "$AUDITD_CONF" "$BACKUP_DIR/"
fi
if [ -f "$AUDIT_RULES" ]; then
cp "$AUDIT_RULES" "$BACKUP_DIR/"
fi
log_success "Backup created at $BACKUP_DIR"
# Update system packages
echo "[2/6] Updating system packages..."
$PKG_UPDATE
log_success "System packages updated"
# Install audit daemon and tools
echo "[3/6] Installing audit daemon and tools..."
$PKG_INSTALL $AUDIT_PACKAGES
log_success "Audit packages installed"
# Configure audit daemon settings
echo "[4/6] Configuring audit daemon settings..."
cat > "$AUDITD_CONF" << EOF
# Audit daemon configuration
log_file = /var/log/audit/audit.log
log_format = enriched
log_group = adm
priority_boost = 4
flush = incremental_async
freq = 50
max_log_file = 50
num_logs = 10
max_log_file_action = rotate
space_left = 100
space_left_action = email
action_mail_acct = $EMAIL
admin_space_left = 50
admin_space_left_action = suspend
disk_full_action = suspend
disk_error_action = suspend
use_libwrap = yes
tcp_listen_queue = 5
tcp_max_per_addr = 1
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
name_format = none
local_events = yes
write_logs = yes
EOF
chown root:root "$AUDITD_CONF"
chmod 640 "$AUDITD_CONF"
log_success "Audit daemon configured"
# Set up audit rules
echo "[5/6] Setting up audit rules..."
mkdir -p "$(dirname "$AUDIT_RULES")"
cat > "$AUDIT_RULES" << 'EOF'
# Delete all existing rules
-D
# Set buffer size
-b 8192
# Set failure mode (0=silent, 1=printk, 2=panic)
-f 1
# Monitor sensitive system files
-w /etc/passwd -p wa -k user_accounts
-w /etc/shadow -p wa -k user_accounts
-w /etc/group -p wa -k user_accounts
-w /etc/sudoers -p wa -k privilege_escalation
-w /etc/sudoers.d/ -p wa -k privilege_escalation
# Monitor system configuration
-w /etc/ssh/sshd_config -p wa -k ssh_config
-w /etc/hosts -p wa -k network_config
-w /etc/hostname -p wa -k network_config
-w /etc/resolv.conf -p wa -k network_config
# Monitor boot files
-w /boot/ -p wa -k boot_files
# Monitor cron configuration
-w /etc/cron.allow -p wa -k cron_config
-w /etc/cron.deny -p wa -k cron_config
-w /etc/cron.d/ -p wa -k cron_config
-w /etc/crontab -p wa -k cron_config
-w /var/spool/cron/ -p wa -k cron_config
# Monitor system logs
-w /var/log/auth.log -p wa -k auth_logs
-w /var/log/secure -p wa -k auth_logs
-w /var/log/messages -p wa -k system_logs
# Monitor privilege escalation
-a always,exit -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -k privilege_escalation
-a always,exit -F arch=b32 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -k privilege_escalation
# Monitor sudo usage
-a always,exit -F arch=b64 -S execve -F path=/usr/bin/sudo -k sudo_usage
-a always,exit -F arch=b32 -S execve -F path=/usr/bin/sudo -k sudo_usage
# Monitor file permission changes
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k permission_changes
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k permission_changes
# Monitor file ownership changes
-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k ownership_changes
-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k ownership_changes
# Monitor file deletion
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=-1 -k file_deletion
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=-1 -k file_deletion
# Make rules immutable (must be last)
-e 2
EOF
chown root:root "$AUDIT_RULES"
chmod 644 "$AUDIT_RULES"
log_success "Audit rules configured"
# Start and enable auditd service
echo "[6/6] Starting and enabling audit service..."
systemctl enable auditd
systemctl restart auditd
# Wait for service to start
sleep 2
log_success "Audit service started and enabled"
# Verification
echo ""
log_info "Verifying installation..."
if systemctl is-active --quiet auditd; then
log_success "✓ Auditd service is running"
else
log_error "✗ Auditd service is not running"
exit 1
fi
if [ -f /var/log/audit/audit.log ]; then
log_success "✓ Audit log file exists"
else
log_warning "! Audit log file not yet created"
fi
RULE_COUNT=$(auditctl -l | wc -l)
if [ "$RULE_COUNT" -gt 0 ]; then
log_success "✓ Audit rules loaded ($RULE_COUNT rules)"
else
log_warning "! No audit rules loaded"
fi
echo ""
log_success "Linux audit logging configuration completed!"
log_info "Configuration files:"
log_info " - Daemon config: $AUDITD_CONF"
log_info " - Audit rules: $AUDIT_RULES"
log_info " - Log file: /var/log/audit/audit.log"
log_info " - Backup: $BACKUP_DIR"
echo ""
log_info "To view audit logs: ausearch -k <key_name>"
log_info "To check rules: auditctl -l"
log_info "To monitor in real-time: tail -f /var/log/audit/audit.log"Review the script before running. Execute with: bash install.sh