auditctl

auditctl is a command-line utility used to interact with the Linux Audit Framework, specifically for managing audit rules. It allows administrators to dynamically add, delete, and list audit rules without needing to manually edit the audit configuration files (/etc/audit/audit.rules). Here’s an overview of auditctl and its usage:

Overview of auditctl

Purpose

The main purpose of auditctl is to control the behavior of the Linux Audit Framework by:

  • Adding new audit rules to monitor specific system events, files, directories, and processes.

  • Modifying existing audit rules to adjust monitoring criteria.

  • Deleting audit rules to stop monitoring specific events.

Basic Usage

Viewing Current Audit Rules

To view the current audit rules that are active, you can use auditctl with the -l option:

auditctl -l

This command lists all currently active audit rules.

Adding Audit Rules

To add new audit rules, use auditctl with the -a option followed by the rule specifications. For example, to monitor changes to the /etc/passwd file:

auditctl -a always,exit -F path=/etc/passwd -F perm=wa -k passwd_changes

  • -a: Adds a new rule.

  • always,exit: Specifies the conditions under which the rule triggers (always on exit).

  • -F: Defines filter fields (in this case, path and permissions).

  • -k: Assigns a unique key to the audit rule for identification in logs.

Deleting Audit Rules

To delete existing audit rules, use auditctl with the -D option followed by the rule specifications or keys:

auditctl -D

This command deletes all currently loaded audit rules.

Example Use Cases

  1. Monitoring File Access:

    auditctl -a always,exit -F path=/etc/shadow -F perm=r -k shadow_access

    This rule monitors read access to the /etc/shadow file.

  2. Monitoring Process Execution:

    auditctl -a always,exit -F arch=b64 -S execve -k process_execution

    This rule monitors execution of processes on a 64-bit architecture.

  3. Monitoring Socket Operations:

    auditctl -a always,exit -F arch=b64 -S socket -k socket_operations

    This rule monitors socket operations on a 64-bit architecture.

Advanced Usage

  • Rule Fields: Use various filter fields (-F) such as uid, auid, syscall, path, success, key, etc., to specify conditions for audit rules.

  • Persistent Rules: To make rules persistent across system reboots, add them to /etc/audit/audit.rules and reload the audit configuration (sudo systemctl reload auditd).

Security Considerations

  • Rule Management: Regularly review and manage audit rules to ensure they align with security policies and operational needs.

  • Performance Impact: Consider the performance impact of auditing high-volume events and adjust rules accordingly.

Conclusion

auditctl is a powerful command-line tool for managing audit rules within the Linux Audit Framework. By dynamically adding, modifying, or deleting audit rules, administrators can tailor system monitoring to meet security requirements, detect unauthorized activities, and ensure compliance with organizational policies.

Previousaudit2whyNextauditd.conf

Last updated