System Event Audit: Monitoring and Security Analysis¶
Ensuring the security and stability of a Linux system requires more than just preventing threats—it’s essential to detect and investigate incidents. System audit doesn’t block attacks, but it allows you to record the breach, identify its source and scope, and compile evidence for analysis.
The key audit tool in most distributions is the auditd daemon. It tracks kernel calls (system calls), logs user and process actions, and stores events in structured logs.
How auditd Works¶
The audit system attaches to the kernel via triggers that fire on entering a system call (entry) or exiting it (exit). Rules determine which calls, files, users, or processes are monitored. All captured events are written to /var/log/audit/audit.log.
With auditd you can track:
- System and service start/stop
- Operations on critical files such as
/etc/passwd,/etc/shadow, SSH configs, etc. - Changes to file permissions, ownership, or attributes
- Creation/deletion of files, directories, and links
- Filesystem mounting
- Network connections and configuration changes
- Actions of specific users or processes
Installation and Components¶
In CentOS/RHEL, the audit package is installed by default.
In Debian/Ubuntu, install it with:
Key utilities:
| Utility | Purpose |
|---|---|
auditctl | Manage audit rules and state (dynamic configuration) |
ausearch | Search logs by various criteria (user, file, syscall, etc.) |
aureport | Generate summary reports (by file, user, time, etc.) |
autrace | Trace a process’s system calls (similar to strace, but integrated with audit) |
The daemon configuration is in /etc/audit/auditd.conf (buffers, overflow behavior, log rotation, etc.). Default settings usually suit most scenarios.
Configuring Audit Rules¶
Rules can be set dynamically via auditctl or statically in /etc/audit/audit.rules.
Basic Syntax:¶
-
Event lists:
task— process creation
entry/exit— syscall entry/exit (most common)
user— user-space events
exclude— exclusions -
Actions:
always— log the event
never— ignore -
Examples:
# Track file openings in /etc with write or attribute changes
sudo auditctl -a task,always -S open -F dir=/etc -F auid>=1000 -F perm=wa
# Same, but simpler and more effective for files/directories
sudo auditctl -a task,always -S open -F dir=/etc -F perm=wa
# Specific file
sudo auditctl -a task,always -F path=/etc/passwd -F perm=wa
Note
The -p wa filter means write and attribute changes.
Persistent Rules — in /etc/audit/audit.rules¶
The format matches auditctl commands, but without the command itself:
# Example entries (one per line)
-a task,always -S open -F dir=/etc -F perm=wa
-a task,always -S open -F path=/etc/passwd -F perm=wa
After editing the file, apply changes:
Log Analysis¶
Logs are stored in /var/log/audit/. Key tools are aureport and ausearch.
aureport — Summaries and Reports¶
# Report on file accesses
sudo aureport -f
# Only the last 10 minutes (human‑readable names)
sudo aureport -f -i --start recent
# Summary by file (how many times each was accessed)
sudo aureport -f --summary
# Report for a specific period
sudo aureport --start 08/20/2025 12:00 --end 08/20/2025 13:00 -f
# Convenient time markers: today, yesterday, this‑week, recent, now
sudo aureport -f --start today --summary
ausearch — Detailed Event Analysis¶
# By event ID (from aureport)
sudo ausearch -a 123456
# By user (UID)
sudo ausearch -ui 1001 -i
# By executable
sudo ausearch -x /usr/bin/sudo -i
# By system call
sudo ausearch -sc openat -i
# By service (e.g., cron)
sudo ausearch -tm cron -i
# With a time limit
sudo ausearch --start 08/20/2025 12:00 --end 08/20/2025 13:00 -f /etc/passwd
Note
The -i (or --interpret) flag replaces UIDs/GIDs and syscall codes with human‑readable names.