Auditing with auditd: Advanced Configuration for Security Compliance
Introduction
The Linux Audit Framework (auditd) is a powerful system-level auditing solution that provides comprehensive tracking of system events, security-related activities, and user actions. Unlike traditional logging mechanisms that rely on applications to generate logs, auditd operates at the kernel level, providing tamper-resistant audit trails that are essential for security monitoring, compliance requirements, forensic investigations, and detecting unauthorized access or privilege escalation attempts.
This comprehensive guide provides Linux system administrators with advanced knowledge for configuring, managing, and analyzing auditd for security compliance and forensic purposes. Whether you're implementing controls for PCI-DSS, HIPAA, GDPR, SOX, or building a robust security monitoring infrastructure, this guide covers the essential configurations, rule development, log analysis techniques, and compliance mappings necessary to leverage auditd effectively.
Why auditd is Essential for Security Compliance
Security Benefits:
- Tamper-Resistant Logging: Kernel-level auditing prevents user-space tampering
- Comprehensive Coverage: Tracks system calls, file access, process execution, and network activity
- Real-Time Monitoring: Immediate detection of security-relevant events
- Forensic Evidence: Detailed audit trails for post-incident investigation
- Privilege Escalation Detection: Identifies unauthorized privilege changes
Compliance Requirements:
- PCI-DSS Requirement 10: Detailed audit logging and monitoring
- HIPAA Security Rule: Access logging and audit controls
- GDPR Article 30: Records of processing activities
- SOX Section 404: Internal controls and audit trails
- ISO 27001 Annex A.12.4: Logging and monitoring
- NIST SP 800-53: AU family (Audit and Accountability controls)
auditd vs. Other Logging Solutions
While syslog, rsyslog, and journald provide application-level logging, auditd offers distinct advantages for security monitoring:
- Kernel-Level Auditing: Cannot be bypassed by user-space applications
- System Call Tracking: Monitors all system calls, not just what applications log
- Immutable Rules: Audit rules can be made unchangeable until reboot
- Fine-Grained Control: Precise filtering and targeting of specific events
- Compliance Focus: Designed specifically for security auditing and compliance
Installing and Configuring auditd
Installation
# Install auditd and associated tools
sudo apt-get update
sudo apt-get install -y auditd audispd-plugins # Debian/Ubuntu
sudo yum install -y audit audit-libs audispd-plugins # RHEL/CentOS
# Verify installation
auditctl --version
auditd --version
# Enable and start auditd
sudo systemctl enable auditd
sudo systemctl start auditd
# Check status
sudo systemctl status auditd
Understanding auditd Components
Key Components:
- auditd: The audit daemon that writes audit records
- auditctl: Command-line tool to control audit system
- ausearch: Search audit logs for specific events
- aureport: Generate summary reports from audit logs
- audispd: Audit event dispatcher (for real-time event handling)
Configuration Files:
/etc/audit/auditd.conf: Daemon configuration/etc/audit/rules.d/: Directory for audit rules/etc/audit/audit.rules: Compiled audit rules (loaded at boot)/var/log/audit/audit.log: Default audit log location
Basic auditd Configuration
# Main configuration file
sudo tee /etc/audit/auditd.conf << 'EOF'
# auditd Configuration
# Log file location
log_file = /var/log/audit/audit.log
# Log file permissions
log_group = root
log_format = RAW
# Flush log data to disk
flush = INCREMENTAL_ASYNC
freq = 50
# Maximum log file size (MB)
max_log_file = 100
# Number of log files to keep
num_logs = 20
# Action when max files reached
max_log_file_action = ROTATE
# Space remaining threshold (MB)
space_left = 500
space_left_action = SYSLOG
# Action when disk full
disk_full_action = SUSPEND
disk_error_action = SUSPEND
# Admin notification settings
admin_space_left = 250
admin_space_left_action = SYSLOG
# TCP/TLS settings for remote logging
tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
# Enable krb5 for remote logging (optional)
enable_krb5 = no
# Dispatcher settings
disp_qos = lossy
dispatcher = /sbin/audispd
# Name format for remote logs
name_format = HOSTNAME
EOF
# Restart auditd to apply configuration
sudo systemctl restart auditd
Audit Rules Development
Understanding Audit Rule Types
1. File System Rules (-w): Watch specific files or directories 2. System Call Rules (-a): Audit specific system calls 3. Control Rules (-D/-e): Control audit system behavior
File System Watch Rules
# Create file system watch rules
sudo tee /etc/audit/rules.d/file-watches.rules << 'EOF'
# File System Watch Rules
## Watch passwd file changes
-w /etc/passwd -p wa -k passwd_changes
## Watch group file changes
-w /etc/group -p wa -k group_changes
## Watch shadow file changes
-w /etc/shadow -p wa -k shadow_changes
## Watch sudoers changes
-w /etc/sudoers -p wa -k sudoers_changes
-w /etc/sudoers.d/ -p wa -k sudoers_changes
## Watch system binaries
-w /usr/bin/ -p x -k binary_execution
-w /usr/sbin/ -p x -k binary_execution
-w /bin/ -p x -k binary_execution
-w /sbin/ -p x -k binary_execution
## Watch kernel modules
-w /sbin/insmod -p x -k kernel_modules
-w /sbin/rmmod -p x -k kernel_modules
-w /sbin/modprobe -p x -k kernel_modules
## Watch init scripts
-w /etc/init.d/ -p wa -k init_scripts
-w /etc/systemd/ -p wa -k systemd_changes
## Watch cron jobs
-w /etc/cron.allow -p wa -k cron_changes
-w /etc/cron.deny -p wa -k cron_changes
-w /etc/cron.d/ -p wa -k cron_changes
-w /etc/cron.daily/ -p wa -k cron_changes
-w /etc/cron.hourly/ -p wa -k cron_changes
-w /etc/cron.monthly/ -p wa -k cron_changes
-w /etc/cron.weekly/ -p wa -k cron_changes
-w /var/spool/cron/ -p wa -k cron_changes
## Watch SSH configuration
-w /etc/ssh/sshd_config -p wa -k sshd_config
-w /root/.ssh -p wa -k root_ssh_keys
## Watch network configuration
-w /etc/network/ -p wa -k network_config
-w /etc/sysconfig/network-scripts/ -p wa -k network_config
-w /etc/hosts -p wa -k network_config
-w /etc/hostname -p wa -k hostname_changes
## Watch system logs
-w /var/log/audit/ -p wa -k audit_log_access
-w /var/log/messages -p wa -k syslog_access
-w /var/log/secure -p wa -k secure_log_access
EOF
Permission Flags Explained
- r: Read access
- w: Write access
- x: Execute access
- a: Attribute change
System Call Audit Rules
# Create system call audit rules
sudo tee /etc/audit/rules.d/syscall-rules.rules << 'EOF'
# System Call Audit Rules
## Architecture detection
-a always,exit -F arch=b64 -S syscall -k key_name
-a always,exit -F arch=b32 -S syscall -k key_name
## File deletion tracking
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -k file_deletion
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -k file_deletion
## File permission changes
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -k perm_mod
## File ownership changes
-a always,exit -F arch=b64 -S chown -S fchown -S lchown -S fchownat -k ownership_changes
-a always,exit -F arch=b32 -S chown -S fchown -S lchown -S fchownat -k ownership_changes
## File access tracking
-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -k access_denied
-a always,exit -F arch=b32 -S open -S openat -F exit=-EACCES -k access_denied
-a always,exit -F arch=b64 -S open -S openat -F exit=-EPERM -k access_denied
-a always,exit -F arch=b32 -S open -S openat -F exit=-EPERM -k access_denied
## Privilege escalation tracking
-a always,exit -F arch=b64 -S setuid -S setgid -S setreuid -S setregid -k privilege_escalation
-a always,exit -F arch=b32 -S setuid -S setgid -S setreuid -S setregid -k privilege_escalation
## Process execution tracking
-a always,exit -F arch=b64 -S execve -k process_execution
-a always,exit -F arch=b32 -S execve -k process_execution
## Socket creation and network activity
-a always,exit -F arch=b64 -S socket -S connect -S bind -k network_activity
-a always,exit -F arch=b32 -S socket -S connect -S bind -k network_activity
## Mount operations
-a always,exit -F arch=b64 -S mount -S umount2 -k mount_operations
-a always,exit -F arch=b32 -S mount -S umount2 -k mount_operations
## Time changes
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time_changes
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -k time_changes
## Kernel module loading
-a always,exit -F arch=b64 -S init_module -S delete_module -k kernel_module_ops
-a always,exit -F arch=b32 -S init_module -S delete_module -k kernel_module_ops
EOF
User and Authentication Tracking
# Create user and authentication tracking rules
sudo tee /etc/audit/rules.d/user-auth.rules << 'EOF'
# User and Authentication Audit Rules
## User login/logout
-w /var/log/lastlog -p wa -k user_login
-w /var/log/wtmp -p wa -k user_login
-w /var/log/btmp -p wa -k failed_login
## Session initiation
-w /var/run/utmp -p wa -k session
## Sudo usage
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/sudo -k sudo_usage
-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/sudo -k sudo_usage
## Su usage
-a always,exit -F arch=b64 -S execve -F exe=/bin/su -k su_usage
-a always,exit -F arch=b32 -S execve -F exe=/bin/su -k su_usage
## PAM configuration changes
-w /etc/pam.d/ -p wa -k pam_config
-w /etc/security/pwquality.conf -p wa -k password_policy
## SSH key changes
-w /home/*/.ssh -p wa -k ssh_key_changes
-w /root/.ssh -p wa -k root_ssh_keys
EOF
Compliance-Specific Audit Rules
PCI-DSS Audit Rules
# PCI-DSS Requirement 10 Compliance
sudo tee /etc/audit/rules.d/pci-dss.rules << 'EOF'
# PCI-DSS Compliance Audit Rules
## Requirement 10.2.1: User access to cardholder data
-w /opt/cardholder-data/ -p ra -k pci_data_access
## Requirement 10.2.2: Administrative actions
-w /etc/sudoers -p wa -k pci_admin_actions
-w /etc/sudoers.d/ -p wa -k pci_admin_actions
## Requirement 10.2.3: Access to audit trails
-w /var/log/audit/ -p rwa -k pci_audit_access
## Requirement 10.2.4: Invalid logical access attempts
-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -k pci_access_denied
-a always,exit -F arch=b64 -S open -S openat -F exit=-EPERM -k pci_access_denied
## Requirement 10.2.5: Use of identification and authentication
-w /var/log/lastlog -p wa -k pci_authentication
-w /var/run/faillock/ -p wa -k pci_failed_auth
## Requirement 10.2.6: Initialization of audit logs
-w /etc/audit/auditd.conf -p wa -k pci_audit_config
-w /etc/audit/rules.d/ -p wa -k pci_audit_config
## Requirement 10.2.7: Creation and deletion of system objects
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -k pci_object_deletion
-a always,exit -F arch=b64 -S creat -S open -S openat -F a2&0100 -k pci_object_creation
## Database access (if applicable)
-w /var/lib/mysql/ -p rwa -k pci_database_access
-w /etc/mysql/ -p wa -k pci_database_config
## Web server access logs
-w /var/log/apache2/ -p wa -k pci_web_logs
-w /var/log/nginx/ -p wa -k pci_web_logs
## Payment application logs
-w /var/log/payment-app/ -p wa -k pci_payment_logs
EOF
HIPAA Audit Rules
# HIPAA Security Rule Compliance
sudo tee /etc/audit/rules.d/hipaa.rules << 'EOF'
# HIPAA Compliance Audit Rules
## PHI (Protected Health Information) Access
-w /opt/healthcare-data/ -p ra -k hipaa_phi_access
## User account management
-w /etc/passwd -p wa -k hipaa_account_mgmt
-w /etc/group -p wa -k hipaa_account_mgmt
-w /etc/shadow -p wa -k hipaa_account_mgmt
## Privileged operations
-a always,exit -F arch=b64 -S setuid -S setgid -k hipaa_privilege_change
## Database containing PHI
-w /var/lib/postgresql/data/ -p rwa -k hipaa_database_access
-w /var/lib/mysql/ -p rwa -k hipaa_database_access
## Application logs containing PHI
-w /var/log/healthcare-app/ -p wa -k hipaa_app_logs
## Configuration changes to systems processing PHI
-w /etc/ -p wa -k hipaa_config_changes
## Backup operations
-w /var/backups/ -p rwa -k hipaa_backup_operations
## Remote access
-w /var/log/auth.log -p wa -k hipaa_remote_access
-w /var/log/secure -p wa -k hipaa_remote_access
## Audit log access
-w /var/log/audit/ -p rwa -k hipaa_audit_access
EOF
GDPR Audit Rules
# GDPR Article 30 Compliance
sudo tee /etc/audit/rules.d/gdpr.rules << 'EOF'
# GDPR Compliance Audit Rules
## Personal data access
-w /opt/personal-data/ -p ra -k gdpr_data_access
## Data processing activities
-w /var/log/application/ -p ra -k gdpr_processing
## User management (data subjects)
-w /etc/passwd -p wa -k gdpr_user_management
-w /etc/shadow -p wa -k gdpr_user_management
## Data deletion (right to erasure)
-a always,exit -F arch=b64 -S unlink -S unlinkat -k gdpr_data_deletion
-a always,exit -F arch=b64 -F path=/opt/personal-data -S unlink -k gdpr_erasure
## Data export (data portability)
-w /tmp/ -p wa -F path=/tmp/export -k gdpr_data_export
## Database containing personal data
-w /var/lib/mysql/gdpr_db/ -p rwa -k gdpr_database_access
## Encryption key access
-w /etc/encryption/keys/ -p ra -k gdpr_key_access
## Backup containing personal data
-w /var/backups/personal-data/ -p rwa -k gdpr_backup_access
## Security incident detection
-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -k gdpr_access_denied
## Data controller actions
-a always,exit -F arch=b64 -S execve -F euid=1001 -k gdpr_controller_actions
EOF
Advanced Audit Rule Techniques
Filtering by User
# Audit specific users
sudo tee /etc/audit/rules.d/user-specific.rules << 'EOF'
# User-Specific Audit Rules
## Monitor specific user (UID 1001)
-a always,exit -F arch=b64 -S all -F uid=1001 -k user_1001_activity
## Monitor root user activity
-a always,exit -F arch=b64 -S all -F uid=0 -k root_activity
## Monitor privileged group (wheel/sudo)
-a always,exit -F arch=b64 -S all -F gid=27 -k wheel_group_activity
## Exclude specific system users
-a always,exit -F arch=b64 -S all -F uid!=0 -F uid!=1 -k non_system_users
EOF
Filtering by Process
# Process-specific audit rules
sudo tee /etc/audit/rules.d/process-specific.rules << 'EOF'
# Process-Specific Audit Rules
## Monitor MySQL daemon
-a always,exit -F arch=b64 -S all -F exe=/usr/sbin/mysqld -k mysql_activity
## Monitor web server
-a always,exit -F arch=b64 -S all -F exe=/usr/sbin/apache2 -k apache_activity
-a always,exit -F arch=b64 -S all -F exe=/usr/sbin/nginx -k nginx_activity
## Monitor SSH daemon
-a always,exit -F arch=b64 -S all -F exe=/usr/sbin/sshd -k sshd_activity
EOF
Filtering by Directory
# Directory-specific audit rules
sudo tee /etc/audit/rules.d/directory-specific.rules << 'EOF'
# Directory-Specific Audit Rules
## Monitor sensitive data directory
-w /opt/sensitive-data/ -p rwxa -k sensitive_data_access
## Monitor web application directory
-w /var/www/html/ -p wa -k web_app_changes
## Monitor configuration directory
-w /etc/ -p wa -k config_changes
## Exclude noisy subdirectories
# Note: Exclusions must come before broader rules
-a never,exit -F dir=/var/www/html/cache/
-a always,exit -F dir=/var/www/html/ -p wa -k web_changes
EOF
Using Auditctl Commands
# List all active rules
sudo auditctl -l
# Delete all rules
sudo auditctl -D
# Load rules from file
sudo auditctl -R /etc/audit/rules.d/custom.rules
# Add rule temporarily (not persistent)
sudo auditctl -w /etc/passwd -p wa -k passwd_watch
# Make audit configuration immutable (until reboot)
sudo auditctl -e 2
# Enable auditing
sudo auditctl -e 1
# Disable auditing
sudo auditctl -e 0
# Get audit status
sudo auditctl -s
# Set backlog limit
sudo auditctl -b 8192
# Set failure mode (0=silent, 1=printk, 2=panic)
sudo auditctl -f 1
Loading and Managing Rules
Rule Loading Order
# Recommended rule file naming for load order:
# 10-base.rules - Basic system rules
# 20-privileged.rules - Privileged command rules
# 30-network.rules - Network-related rules
# 40-compliance.rules - Compliance-specific rules
# 99-finalize.rules - Make configuration immutable
# Create base rules
sudo tee /etc/audit/rules.d/10-base.rules << 'EOF'
# Base Audit Configuration
## Delete all existing rules
-D
## Set buffer size
-b 8192
## Failure mode (1 = print to kernel log)
-f 1
## Rate limit
-r 100
EOF
# Create finalization rules
sudo tee /etc/audit/rules.d/99-finalize.rules << 'EOF'
# Finalize Audit Configuration
## Make configuration immutable
## WARNING: Cannot change rules until reboot!
-e 2
EOF
# Generate compiled rules file
sudo augenrules --load
# Verify rules loaded
sudo auditctl -l | wc -l
Temporary vs. Persistent Rules
# Temporary rule (lost on reboot)
sudo auditctl -w /tmp/test -p wa -k temp_test
# Persistent rule (survives reboot)
echo "-w /tmp/test -p wa -k persistent_test" | \
sudo tee -a /etc/audit/rules.d/custom.rules
sudo augenrules --load
Searching and Analyzing Audit Logs
Using ausearch
# Search for today's events
sudo ausearch -ts today
# Search for events in date/time range
sudo ausearch -ts 01/10/2024 00:00:00 -te 01/10/2024 23:59:59
# Search by key
sudo ausearch -k passwd_changes
# Search for user actions
sudo ausearch -ua username
# Search for specific UID
sudo ausearch -ui 1001
# Search for failed events
sudo ausearch -m USER_AUTH -sv no
# Search for file access
sudo ausearch -f /etc/shadow
# Search for successful sudo usage
sudo ausearch -k sudo_usage -sv yes
# Combine filters
sudo ausearch -k gdpr_data_access -ts today -i
# Output in interpreted format
sudo ausearch -i -k pci_data_access
# Output as raw log
sudo ausearch -k hipaa_phi_access --raw
# Count events
sudo ausearch -k network_activity | grep -c "type=SYSCALL"
Using aureport
# Generate summary report
sudo aureport
# Authentication report
sudo aureport -au
# Login report
sudo aureport -l
# Failed login attempts
sudo aureport -l --failed
# User account modification report
sudo aureport -m
# File access report
sudo aureport -f
# Key-based report
sudo aureport -k
# Executable report
sudo aureport -x
# Time-based report
sudo aureport -ts today -te now
# Summary of specific key
sudo aureport -k pci_data_access --summary
# Top failed events
sudo aureport --failed --summary
# Generate HTML report (requires aureport)
# sudo aureport --summary --format html > /tmp/audit_report.html
Real-Time Log Monitoring
# Follow audit log in real-time
sudo tail -f /var/log/audit/audit.log
# Real-time monitoring with ausearch
sudo ausearch -ts recent -i -k passwd_changes
# Create real-time monitoring script
sudo tee /usr/local/bin/audit-monitor.sh << 'EOF'
#!/bin/bash
# Real-time audit monitoring
echo "Monitoring audit events (Ctrl+C to stop)..."
echo "=========================================="
sudo tail -f /var/log/audit/audit.log | \
while read line; do
# Check for specific keywords
if echo "$line" | grep -qE "passwd|shadow|sudo|su|ssh"; then
echo "[$(date)] SECURITY EVENT: $line"
fi
done
EOF
sudo chmod +x /usr/local/bin/audit-monitor.sh
Audit Event Dispatch (audispd)
Configuring Real-Time Alerts
# Configure audit dispatcher
sudo tee /etc/audit/plugins.d/syslog.conf << 'EOF'
# Send audit events to syslog
active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO
format = string
EOF
# Configure custom event handler
sudo tee /etc/audit/plugins.d/custom-handler.conf << 'EOF'
active = yes
direction = out
path = /usr/local/bin/audit-event-handler.sh
type = always
format = string
EOF
# Create custom event handler script
sudo tee /usr/local/bin/audit-event-handler.sh << 'EOF'
#!/bin/bash
# Custom audit event handler
ALERT_EMAIL="[email protected]"
LOG_FILE="/var/log/audit/custom-alerts.log"
while read event; do
# Log all events
echo "[$(date)] $event" >> "$LOG_FILE"
# Alert on critical events
if echo "$event" | grep -qE "passwd|shadow|sudo|failed"; then
echo "$event" | mail -s "Critical Audit Event" "$ALERT_EMAIL"
fi
done
EOF
sudo chmod +x /usr/local/bin/audit-event-handler.sh
# Restart audit dispatcher
sudo systemctl restart auditd
Remote Audit Logging
# Configure audit server to receive remote logs
sudo tee -a /etc/audit/auditd.conf << 'EOF'
# Remote logging
tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
EOF
# Configure client to send logs to remote server
sudo tee /etc/audit/plugins.d/au-remote.conf << 'EOF'
active = yes
direction = out
path = /sbin/audisp-remote
type = always
format = string
EOF
sudo tee /etc/audit/audisp-remote.conf << 'EOF'
remote_server = audit-server.example.com
port = 60
local_port = any
transport = tcp
queue_depth = 2048
overflow_action = syslog
EOF
# Restart services
sudo systemctl restart auditd
Performance Optimization
Tuning for High-Volume Environments
# Optimize audit configuration for performance
sudo tee /etc/audit/auditd.conf << 'EOF'
# Performance-Optimized Configuration
log_file = /var/log/audit/audit.log
log_format = RAW
# Asynchronous writing for better performance
flush = INCREMENTAL_ASYNC
freq = 50
# Larger buffer
max_log_file = 200
num_logs = 20
# Performance-oriented dispatcher
disp_qos = lossy
# Larger kernel buffer
# Set via auditctl: -b 32768
EOF
# Increase kernel audit buffer
sudo auditctl -b 32768
# Check backlog
sudo auditctl -s | grep backlog
# Reduce rule complexity
# Use more specific filters to reduce matching overhead
# Example: Instead of auditing all execve, audit specific binaries
-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/sudo -k sudo_exec
Managing Audit Log Size
# Configure aggressive log rotation
sudo tee /etc/logrotate.d/audit << 'EOF'
/var/log/audit/audit.log {
daily
rotate 90
compress
delaycompress
notifempty
create 0600 root root
maxsize 500M
postrotate
/sbin/service auditd rotate > /dev/null 2>&1 || true
endscript
}
EOF
# Manually rotate audit log
sudo service auditd rotate
# Or use aureport to archive and compress old logs
sudo aureport -ts month-ago -te yesterday --summary | \
gzip > /archive/audit/audit-$(date +%Y%m).txt.gz
Troubleshooting
Common Issues and Solutions
# Check audit daemon status
sudo systemctl status auditd
# View audit daemon logs
sudo journalctl -u auditd -n 50
# Check for rule syntax errors
sudo augenrules --check
# Test rule loading
sudo augenrules --load
# Check audit buffer status
sudo auditctl -s
# If backlog limit reached, increase buffer
sudo auditctl -b 16384
# Check for lost events
sudo auditctl -s | grep lost
# Verify rules are loaded
sudo auditctl -l
# Check disk space
df -h /var/log/audit
# Check permissions
ls -la /var/log/audit/
# Fix permissions if needed
sudo chown root:root /var/log/audit/
sudo chmod 755 /var/log/audit/
sudo chmod 600 /var/log/audit/audit.log
# Restart auditd
sudo systemctl restart auditd
Debugging Audit Rules
# Enable debug mode
sudo auditd -d
# Test individual rule
sudo auditctl -a always,exit -F arch=b64 -S open -k test_rule
# Trigger event
cat /etc/passwd
# Search for test event
sudo ausearch -k test_rule -ts recent
# Remove test rule
sudo auditctl -d always,exit -F arch=b64 -S open -k test_rule
Compliance Audit Scripts
Comprehensive Compliance Check
# Create comprehensive audit compliance check script
sudo tee /root/scripts/audit_compliance_check.sh << 'EOF'
#!/bin/bash
# Audit System Compliance Check
REPORT_FILE="/var/log/audit/compliance_check_$(date +%Y%m%d).txt"
exec > >(tee -a "$REPORT_FILE")
echo "========================================"
echo "AUDIT SYSTEM COMPLIANCE CHECK"
echo "Date: $(date)"
echo "========================================"
echo ""
# Check auditd status
echo "=== Auditd Service Status ==="
systemctl is-active auditd && echo "RUNNING" || echo "NOT RUNNING"
echo ""
# Check number of rules loaded
echo "=== Audit Rules Loaded ==="
RULE_COUNT=$(auditctl -l | grep -v "^No rules" | wc -l)
echo "Total rules: $RULE_COUNT"
if [ "$RULE_COUNT" -lt 10 ]; then
echo "WARNING: Very few audit rules configured!"
fi
echo ""
# Check disk space
echo "=== Audit Log Disk Space ==="
df -h /var/log/audit/
echo ""
# Check for lost events
echo "=== Lost Events Check ==="
LOST=$(auditctl -s | grep lost | awk '{print $2}')
echo "Lost events: $LOST"
if [ "$LOST" -gt 0 ]; then
echo "WARNING: Events have been lost! Consider increasing buffer size."
fi
echo ""
# Check audit log size
echo "=== Audit Log Files ==="
ls -lh /var/log/audit/
echo ""
# Check recent activity
echo "=== Recent Audit Activity (Last Hour) ==="
ausearch -ts hour-ago 2>/dev/null | grep -c "type=SYSCALL"
echo "Events logged in last hour"
echo ""
# Key-specific event counts
echo "=== Event Counts by Key (Last 24 Hours) ==="
aureport -ts yesterday -k --summary | head -20
echo ""
# Authentication events
echo "=== Authentication Events (Last 7 Days) ==="
aureport -ts week-ago -au --summary
echo ""
# Failed events
echo "=== Failed Events (Last 7 Days) ==="
aureport -ts week-ago --failed --summary
echo ""
# Configuration immutability
echo "=== Audit Configuration Status ==="
auditctl -s | grep enabled
echo ""
echo "========================================"
echo "COMPLIANCE CHECK COMPLETED"
echo "Report saved to: $REPORT_FILE"
echo "========================================"
EOF
sudo chmod +x /root/scripts/audit_compliance_check.sh
# Schedule monthly compliance checks
echo "0 9 1 * * /root/scripts/audit_compliance_check.sh | mail -s 'Monthly Audit Compliance Report' [email protected]" | sudo crontab -
Best Practices
Audit Configuration Checklist
# Create configuration checklist
cat > /root/docs/audit_configuration_checklist.md << 'EOF'
# Audit Configuration Checklist
## Installation and Setup
- [ ] auditd installed and enabled
- [ ] auditd starts at boot
- [ ] Sufficient disk space allocated for audit logs
- [ ] Log rotation configured
## Rule Configuration
- [ ] File system watches configured for sensitive files
- [ ] System call auditing enabled for security events
- [ ] User authentication tracked
- [ ] Privilege escalation monitored
- [ ] Compliance-specific rules implemented
- [ ] Rules loaded at boot via /etc/audit/rules.d/
## Performance
- [ ] Audit buffer size appropriate for load
- [ ] Lost events monitored
- [ ] Log file size limits set
- [ ] Audit rules optimized (not overly broad)
## Security
- [ ] Audit logs protected (proper permissions)
- [ ] Audit configuration immutable (-e 2)
- [ ] Unauthorized audit log access monitored
- [ ] Remote logging configured (if required)
## Monitoring and Alerts
- [ ] Real-time alerts configured for critical events
- [ ] Regular log review scheduled
- [ ] Automated compliance reporting
- [ ] Incident response procedures documented
## Compliance
- [ ] PCI-DSS Requirement 10 rules (if applicable)
- [ ] HIPAA audit requirements (if applicable)
- [ ] GDPR Article 30 requirements (if applicable)
- [ ] SOX audit trails (if applicable)
## Testing
- [ ] Rule triggering verified
- [ ] Log search and reporting tested
- [ ] Audit rotation tested
- [ ] Restoration from audit logs tested
EOF
Conclusion
The Linux Audit Framework (auditd) provides powerful, kernel-level auditing capabilities essential for security monitoring, compliance, and forensic investigations. This guide has covered advanced configurations, compliance-specific rule sets, log analysis techniques, and performance optimization strategies.
Key Takeaways
1. Kernel-Level Security: auditd operates at the kernel level, providing tamper-resistant audit trails that cannot be bypassed by user-space applications.
2. Compliance Foundation: Proper auditd configuration is essential for meeting PCI-DSS, HIPAA, GDPR, SOX, and other regulatory requirements.
3. Rule Precision: Carefully designed audit rules balance comprehensive monitoring with system performance.
4. Regular Review: Audit logs must be regularly reviewed, analyzed, and archived to provide value for security and compliance.
5. Immutable Configuration: Making audit configuration immutable prevents tampering and ensures consistent audit coverage.
By implementing the configurations and procedures outlined in this guide, you establish robust audit trails that support security monitoring, compliance requirements, and forensic investigations while maintaining system performance.