Utilizing Linux’s auditd Tool: Making Hackers Visible!

Everyone knows that information security is crucial for every enterprise today. Safeguarding server information security is one of the essential skills for every operations engineer. Today, I will share practical insights about the kernel-level auditing tool of the Linux system—auditd, which helps you protect server information security. By using it effectively, even if hackers invade, they will reveal their actions!1. Introduction to auditd<span>auditd</span> is the kernel-level auditing tool for Linux systems, used for system security auditing, compliance monitoring, and troubleshooting.2. Installing and Starting auditd1. Installation command for Ubuntu/Debian

sudo apt update && sudo apt install auditd audispd-plugins

2. Installation command for CentOS/RHEL

sudo yum install audit audit-libs# or sudo dnf install audit audit-libs

3. Starting the service

sudo systemctl enable auditd
sudo systemctl start auditd
sudo systemctl status auditd

3. Components of auditd

Component Function
<span>auditd</span> Audit daemon
<span>auditctl</span> Command-line tool for controlling audit rules
<span>ausearch</span> Tool for searching audit logs
<span>aureport</span> Tool for generating audit reports
<span>audit.log</span> Log file (usually located at <span>/var/log/audit/audit.log</span>)

4. Basic usage commands1. Check audit status

sudo auditctl -s

2. View current rules

sudo auditctl -l

5. Monitoring command execution1. Monitor the rm command

sudo auditctl -w /usr/bin/rm -p x -k command_exec

2. Monitor multiple delete commands

sudo auditctl -w /usr/bin/rm -p x -k file_deletion
sudo auditctl -w /usr/bin/unlink -p x -k file_deletion
sudo auditctl -w /usr/bin/rmdir -p x -k file_deletion

3. Monitor critical system commands

sudo auditctl -w /usr/bin/passwd -p x -k password_change
sudo auditctl -w /usr/bin/sudo -p x -k privilege_escalation

4. Monitor all binary files

# Monitor all executions in the /usr/bin/ directory
sudo auditctl -w /usr/bin/ -p x -k bin_execution

Parameter Explanation:

  • <span>-w</span>: Monitor path

  • <span>-p</span>: Permission type

    • <span>r</span> = Read

    • <span>w</span> = Write

    • <span>x</span> = Execute

    • <span>a</span> = Attribute change

  • <span>-k</span>: Custom keyword (for search filtering)

6. Monitoring file access1. Monitor the password file

sudo auditctl -w /etc/passwd -p wa -k passwd_change

2. Monitor the SSH configuration file

sudo auditctl -w /etc/ssh/sshd_config -p wa -k ssh_config

3. Monitor the sudoers file

sudo auditctl -w /etc/sudoers -p wa -k sudoers_change

4. Monitor important directories

sudo auditctl -w /etc/ -p wa -k etc_changes

5. Monitor related website directories

sudo auditctl -w /var/www/html/ -p wa -k web_content
sudo auditctl -w /opt/app/ -p wa -k app_files

7. Monitoring system calls1. Monitor all system calls for deleting files

sudo auditctl -a always,exit -F arch=b64 -S unlink -S unlinkat -S rmdir -k file_deletion

2. Monitor file permission changes

sudo auditctl -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -k file_permission

3. Monitor execution of privileged commands

sudo auditctl -a always,exit -F arch=b64 -S execve -k command_exec

4. Monitor all commands of a specific user

sudo auditctl -a always,exit -F arch=b64 -S execve -F auid=1000 -k user_commands

5. Monitor privileged operations by non-privileged users

sudo auditctl -a always,exit -F arch=b64 -S execve -F euid=0 -F auid!=0 -k privilege_abuse

8. Searching and analyzing logs1. Search by keyword

sudo ausearch -k file_deletion

2. Search by time

sudo ausearch -ts today
sudo ausearch -ts "10/05/2025 08:00:00" -te "10/05/2025 18:00:00"

3. Search by user information

sudo ausearch -ua 1000  # By user ID
sudo ausearch -ui username  # By username

4. Generate reports

# Generate file access report
sudo aureport -f -i
# Generate command execution report
sudo aureport -x -i
# Generate user activity report
sudo aureport -u -i
# Generate summary report
sudo aureport --summary
# Generate today's event report
sudo aureport -t

5. Format output

# Human-readable display
sudo ausearch -k file_deletion -i
# Show only key information
sudo ausearch -k file_deletion --raw | aureport -f -i

9. Permanent rule settings1. Configuration file locations

  • Main configuration:<span>/etc/audit/auditd.conf</span>

  • Rule file:<span>/etc/audit/rules.d/audit.rules</span>

2. Adding permanent rulesEdit the configuration file/etc/audit/rules.d/audit.rules

# Monitor command execution
-w /usr/bin/rm -p x -k file_deletion
-w /usr/bin/unlink -p x -k file_deletion
-w /usr/bin/rmdir -p x -k file_deletion
# Monitor important files
-w /etc/passwd -p wa -k passwd_file
-w /etc/shadow -p wa -k shadow_file
-w /etc/sudoers -p wa -k sudoers_file
# System call rules
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rmdir -k file_deletion_syscall

3. Apply rules

# Reload rules
sudo auditctl -R /etc/audit/rules.d/audit.rules
# Or restart the service
sudo systemctl restart auditd

10. Practical monitoring scripts1. Real-time monitoring script

#!/bin/bash
# realtime_audit_monitor.sh
echo "Starting real-time monitoring of audit logs..."
sudo tail -f /var/log/audit/audit.log | while read line; do    if echo "$line" | grep -q -E "rm|unlink|rmdir"; then        echo "⚠️  Delete operation detected: $(date)"
        echo "$line" | grep -o -E 'exe=.*|auid=.*|uid=.*'
        echo "---"
    fi
done

2. Daily report script

#!/bin/bash
# daily_audit_report.sh
REPORT_FILE="/var/log/audit/daily_report_$(date +%Y%m%d).txt"
{
    echo "=== Audit Daily Report $(date) ==="
    echo "1. File deletion operations:"
    sudo ausearch -k file_deletion -ts yesterday -i
    echo ""
    echo "2. Privileged command executions:"
    sudo ausearch -k privilege_escalation -ts yesterday -i
    echo ""
    echo "3. Today's summary:"
    sudo aureport --start yesterday --end today -i
} > $REPORT_FILE
# Send email (if email is configured)
# mail -s "Audit Daily Report $(date)" [email protected] < $REPORT_FILE

11. Troubleshooting1. Check service status

sudo systemctl status auditd
sudo auditctl -s

2. View log information

sudo tail -f /var/log/audit/audit.log

3. Test rules

# Add test rule
sudo auditctl -w /tmp/test -p rwa -k test
# Trigger test
touch /tmp/testfile
cat /tmp/testfile
rm /tmp/testfile
# View logs
sudo ausearch -k test -i

12. Performance optimization configuration

Edit /etc/audit/auditd.conf

# Performance-enhancing configuration
log_file = /var/log/audit/audit.log
max_log_file = 100
max_log_file_action = ROTATE
num_logs = 5
space_left = 250
space_left_action = email
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND

13. Real-world application cases1. Monitor web server directories

# Permanent rules added to /etc/audit/rules.d/web.rules
-w /var/www/html/ -p wa -k web_content
-w /etc/nginx/ -p wa -k nginx_config
-w /etc/apache2/ -p wa -k apache_config

2. Monitor database-related operations

# Monitor database files and commands
-w /var/lib/mysql/ -p wa -k mysql_data
-w /usr/bin/mysql -p x -k mysql_command
-w /usr/bin/mysqldump -p x -k mysql_backup

14. Conclusion

auditd is the user-space component of the Linux kernel’s auditing framework, playing an important role in system security auditing, compliance monitoring, and troubleshooting. You can practice more detailed usage on your own, generally following these points to maximize its effectiveness.

  1. Test rules first before applying them to the production environment

  2. Regularly clean and archive audit logs

  3. Set disk space alerts

  4. Combine with log analysis tools (like ELK Stack)

— EOF —Recommended Reading Click the title to jump

1. Amazing! A command to permanently activate Win11/Win10 & Office ~

2. Please keep this, one-click activation for Pycharm 2025 Professional Edition! (with activation code)

3. 100 shell scripts every Linux engineer should have practiced ~

4. Huawei’s Euler system has been heavily criticized! We should thank for having CentOS ~

5. Linux file modification methods without using vi/vim editor, but still efficient! ~

6. Powerful and cool, this network diagnostic tool is amazing!

7. VMware virtual machines are now free, yet some still don’t know how to obtain and use them?

8. You may not have heard of the dd command in Linux, but it doesn’t affect its powerful practicality!

9. Euler Linux System Management Guide: A comprehensive list of efficient and practical commands!

10. Amazing, the ads built into Win11 have been completely turned off!

Did you gain something from this article? Please share it with more people

Recommended to follow “Aqiu’s Linux Advanced Path” to enhance Linux and other IT skills

Like Share Service always present 🌷 Give a like Looking Never down 🍀

Related posts

  1. Using Dynamic Link Libraries in C Programming on Linux
  2. 2025 China Smartwatch Sales: Huawei Surpasses Apple to Claim the Top Spot, Vivo Emerges as the Dark Horse!
  3. Breaking Through Human Bottlenecks! AI Agents as the Core Engine for Enterprise Scaling
  4. Introduction to Intel FPGA Agilex 7 Series (Part 1)
  5. Lookfor: A Super Flexible Python Library!
  6. The Evolution of China’s Magnetic Sensor Chip Industry: Technological Breakthroughs, Entrepreneurial Waves, and Capital Integration (1990-2025)
  7. Why Is Bluetooth Called ‘Blue’ Tooth?
  8. How to Improve Weak Wi-Fi Signals? 8 Tips
  9. How to Interpret Insulin/C-Peptide Release Test?
  10. Large File Upload: Implementing HTTP Resumable Uploads, Instant Uploads, and Chunked Uploads with Source Code!
  11. Huawei, OPPO, and VIVO: A Glimpse into Their High-End SMT Automated Production Lines!
  12. Guide to Avoiding Indentation and Punctuation Errors in Python Code
  13. Installation Guide for the Latest Weekly Version of Kali Linux and VPN Connection to Hack The Box
  14. Three Common Oversights by Device Manufacturers When Connecting with IoT Cards
  15. Detailed Explanation and Examples of Input and Output Stream Operations in C Language
  16. How to Achieve Dynamic Monitoring of Forestry Resources (Forests, Wetlands, Wildlife) Using Satellite Remote Sensing, Drones, and IoT Devices?
  17. Practical Installation and Debugging of PLC Control Systems
  18. Breakthrough in Domestic Sensors! SmartSens Launches 50-Megapixel CMOS with Dynamic Range Up to 88dB
  19. Development of PCBA Solutions for Smart Counting Skipping Rope and Related Circuit Boards

Leave a Comment