Skip to content

Auditd

Auditd is an open source auditing tool that can increase security and generate reports via auditd logs.

Install

 sudo apt install -y auditd audispd-plugins
 sudo su -c "curl 'https://raw.githubusercontent.com/decyphertek-io/ansible/main/roles/auditd/files/audit.rules' >> /etc/audit/rules.d/audit.rules"
 sudo su -c "curl 'https://raw.githubusercontent.com/decyphertek-io/ansible/main/roles/auditd/files/audit.rules' >> /etc/audit/audit.rules"
 sudo systemctl enable auditd
 sudo systemctl restart auditd
 sudo systemctl status auditd

Watch a directory

 sudo auditctl -w /home/[your_user_name]/test_dir/ -k test_watch

Search Auditd logs

 sudo ausearch -k test_watch

Create a report

 sudo ausearch -k test_watch | aureport -f -I 
 sudo aureport

Manage

 sudo systemctl enable auditd
 sudo systemctl start auditd
 sudo systemctl restart auditd

References

 https://www.linux.com/topic/desktop/customized-file-monitoring-auditd/
 https://github.com/Neo23x0/auditd/blob/master/audit.rules
 https://manpages.debian.org/testing/auditd/auditd.8.en.html
 https://linuxhint.com/auditd_linux_tutorial
 https://github.com/Neo23x0/auditd/blob/master/audit.rules
 https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-configuring_the_audit_service
 https://bobcares.com/blog/ec2-error-audit-backlog-limit-exceeded/