Linux - Linux Audit Framework (auditd)

Introduction

The Linux Audit Framework is a powerful security monitoring system designed to track and record activities occurring on a Linux system. It provides administrators with detailed information about system events, user actions, file access, and security-related operations. The framework helps organizations maintain accountability, detect unauthorized activities, investigate security incidents, and comply with regulatory standards.

The primary component of the Linux Audit Framework is the audit daemon (auditd), which collects audit records generated by the Linux kernel and stores them in log files. Unlike ordinary system logs, audit logs are specifically designed for security monitoring and forensic analysis, making them more detailed and reliable.

The Linux Audit Framework is widely used in enterprise servers, government organizations, financial institutions, healthcare environments, and any system where security and compliance are essential.

Architecture of the Linux Audit Framework

The Linux Audit Framework consists of several components that work together to collect and manage audit information.

Linux Kernel

The kernel monitors system calls and security-sensitive events. Whenever a monitored event occurs, the kernel generates an audit record and passes it to the audit subsystem.

auditd Daemon

The audit daemon receives audit records from the kernel and writes them into audit log files, usually located in:

/var/log/audit/audit.log

It also manages log rotation, storage limits, and audit configuration.

auditctl

The auditctl command is used to create, modify, and remove audit rules dynamically while the system is running.

Example:

auditctl -l

Displays all active audit rules.

augenrules

Instead of creating rules manually every time the system starts, administrators can place rule files inside:

/etc/audit/rules.d/

The augenrules utility combines these files into the active audit rule configuration during system startup.

ausearch

The ausearch command allows administrators to search audit logs based on different criteria.

Example:

ausearch -k passwd_changes

Searches all records associated with the keyword "passwd_changes."

aureport

The aureport utility generates summarized reports from audit logs.

Example:

aureport

Displays a summary of recorded audit events.

Installing auditd

On Red Hat-based systems:

sudo dnf install audit

or

sudo yum install audit

On Debian-based systems:

sudo apt install auditd

Start the service:

sudo systemctl start auditd

Enable it during boot:

sudo systemctl enable auditd

Check its status:

systemctl status auditd

Understanding Audit Rules

Audit rules tell the kernel which events should be monitored.

Rules can monitor:

  • File access

  • Directory access

  • User logins

  • System calls

  • Permission changes

  • Process execution

  • Network configuration

  • Administrative activities

Without rules, auditd records only a limited number of events.

Monitoring File Access

Suppose an administrator wants to monitor changes made to the password file.

Example:

auditctl -w /etc/passwd -p wa -k passwd_changes

Explanation:

  • -w watches the specified file.

  • -p wa monitors write and attribute changes.

  • -k passwd_changes assigns a keyword for easier searching.

Whenever /etc/passwd is modified, the event is recorded.

Monitoring a Directory

Monitor an entire directory:

auditctl -w /home/projects -p rwxa -k project_files

This records:

  • Reading files

  • Writing files

  • Executing files

  • Attribute modifications

Monitoring System Calls

System calls are requests made by applications to the Linux kernel.

Example:

auditctl -a always,exit -S execve

This logs every executed program.

Each execution records:

  • Program name

  • User ID

  • Process ID

  • Timestamp

  • Command-line arguments

Monitoring User Login Activity

Audit rules can monitor login attempts.

Example:

auditctl -w /var/log/lastlog -p wa

The administrator can determine:

  • Who logged in

  • Login time

  • Failed login attempts

  • Successful authentication

Monitoring Permission Changes

Track changes to file permissions.

Example:

auditctl -a always,exit -F arch=b64 -S chmod

Every chmod operation will be logged.

Monitoring User Account Changes

Watch changes to account configuration.

Example:

auditctl -w /etc/shadow -p wa -k shadow_changes

This records password modifications.

Viewing Active Audit Rules

Display all rules:

auditctl -l

Example output:

-w /etc/passwd -p wa -k passwd_changes
-w /etc/shadow -p wa -k shadow_changes

Searching Audit Logs

The ausearch command simplifies finding relevant records.

Search by keyword:

ausearch -k passwd_changes

Search by user:

ausearch -ua 1001

Search by process ID:

ausearch -p 2543

Search today's events:

ausearch -ts today

Search events within a time range:

ausearch -ts 09:00 -te 18:00

Generating Audit Reports

The aureport command summarizes audit information.

Generate a login report:

aureport -l

Generate an executable report:

aureport -x

Generate a file access report:

aureport -f

Generate a summary report:

aureport -s

These reports help administrators quickly identify unusual activities.

Audit Log Format

A typical audit log entry looks like:

type=SYSCALL
msg=audit(1719999999.222:415):
arch=c000003e
syscall=59
success=yes
uid=1000
auid=1000
exe="/usr/bin/bash"

Important fields include:

  • type – Type of audit event.

  • syscall – System call executed.

  • success – Whether the operation succeeded.

  • uid – User ID of the process.

  • auid – Original authenticated user ID.

  • exe – Executable involved.

  • msg – Timestamp and event identifier.

Persistent Audit Rules

Temporary rules disappear after reboot.

To make rules permanent, create a file such as:

/etc/audit/rules.d/custom.rules

Example:

-w /etc/passwd -p wa -k passwd_changes
-w /etc/shadow -p wa -k shadow_changes

Load the rules:

augenrules --load

Verify:

auditctl -l

Log Rotation

Audit logs can become very large over time.

The audit daemon supports automatic log rotation based on:

  • Maximum log size

  • Number of archived logs

  • Available disk space

Configuration is stored in:

/etc/audit/auditd.conf

Common options include:

max_log_file = 50
num_logs = 10
max_log_file_action = ROTATE

This configuration rotates logs after they reach 50 MB and retains the 10 most recent archived logs.

Advantages of the Linux Audit Framework

  • Provides comprehensive monitoring of security-related events.

  • Records detailed information about user activities.

  • Helps detect unauthorized access and suspicious behavior.

  • Supports forensic investigations after security incidents.

  • Assists in meeting compliance requirements such as PCI-DSS, HIPAA, ISO 27001, and SOX.

  • Enables detailed tracking of system calls, file modifications, and administrative actions.

  • Integrates with security information and event management (SIEM) platforms for centralized monitoring.

  • Offers flexible rule-based monitoring tailored to organizational needs.

Limitations

  • Excessive audit rules can impact system performance.

  • Audit logs require careful storage management due to rapid growth.

  • Complex rule configurations may be difficult for beginners.

  • Regular review and maintenance of rules are necessary to ensure effectiveness.

  • Audit data must be protected from unauthorized access to preserve its integrity.

Best Practices

  • Audit only security-critical files and activities to reduce unnecessary log volume.

  • Store audit logs on secure or remote systems to prevent tampering.

  • Regularly review and update audit rules based on system changes.

  • Rotate and archive logs to manage disk usage efficiently.

  • Use meaningful keys for audit rules to simplify searching and reporting.

  • Restrict access to audit logs to authorized administrators.

  • Periodically verify that the auditd service is running and functioning correctly.

  • Combine audit logs with centralized monitoring tools for improved visibility and incident response.

Conclusion

The Linux Audit Framework (auditd) is an essential security feature that enables detailed monitoring of system activities, user actions, and critical events. By leveraging configurable audit rules, administrators can track sensitive operations, detect unauthorized behavior, and maintain comprehensive records for compliance and forensic investigations. Proper configuration, regular log review, and adherence to best practices make the Linux Audit Framework a valuable component of a robust Linux security strategy.