Posted on Sunday March 13, 2016 / by Eric Potvin

The auditctl program is used to control the behavior, get status, and add or delete rules into the kernel's auditd system.

If you are running a web server with sensitive data, you probably want to monitor which files are file accessed and what kind of activities are running in your server.

Install auditd

sudo apt-get install auditd


Once auditd is installed, you can configure it either:

I recommend to use the configuration file, since it is easier to configure, backup and restore if there's any error.

Example configuration file

# first of all, reset the rules (delete all)

# increase the buffers to survive stress events. make this bigger for busy systems.
-b 1024

# monitor unlink() and rmdir() system calls.
-a exit,always -S unlink -S rmdir

# monitor open() system call by Linux UID 1001.
-a exit,always -S open -F loginuid=1001

# monitor write-access and change in file properties (read/write/execute) of the following files.
-w /etc/group -p wa
-w /etc/passwd -p wa
-w /etc/shadow -p wa
-w /etc/sudoers -p wa

# monitor read-access of the following directory.
-w /etc/secret_directory -p r

# lock the audit configuration to prevent any modification of this file.
-e 2

Restart auditd.

sudo service auditd restart

The audit daemon will generate a log file: /var/log/audit/audit.log. To search into the logs, you need to use the ausearch. This will look for any unauthorized access.

For example, if you want to check if the /etc/passwd has been accessed, you can run the following command:

sudo ausearch -f /etc/passwd

Error deleting rule

If you get the Operation not permitted while tring to delete a rule, it is because audit is in immutable mod and no rules wlil be loaded. You can try to stop the service, but if this does not work, you will have to reboot the server. Modify the rules first, then reboot.

Rotate log

You can rotate daily logs for audit. The log are located in /var/log/audit. You can simply create a cronjob with the following command in it:

sudo service auditd rotate


Other useful commands

You can search for events with a specific date and time. If the date is omitted, the current day is assumed. If the time is omitted, the current time is assumed. It is recommended to use 24 hour clock time rather than AM or PM to specify time.

ausearch -ts today -k password-file
ausearch -ts 1/1/14 -k password-file

You can also search for an event matching the given executable name. You can accomplish this using -x option. For example find out who has accessed /etc/passwd using rm command:

ausearch -ts today -k password-file -x rm
ausearch -ts 1/1/14 -k password-file -x rm