2025-01-24
auditctl
Configures and manages the Linux audit system. It allows the user to
set audit rules, such as monitoring specific files, directories, or
system calls, to track security-relevant events on the system.Here’s a
table of some relevant auditctl
commands that are commonly
used for configuring the audit system in Linux:
Command | Description |
---|---|
auditctl -l |
Lists all current audit rules. |
auditctl -A never,exit -F dir=/home/user |
Disables auditing for specific directory or file path (e.g.,
/home/user ). |
auditctl -D |
Deletes all audit rules currently configured. |
auditctl -w /etc/passwd -p wa |
Watches the /etc/passwd file for write and attribute
change events. |
auditctl -W /var/log/secure -p r |
Removes the watch on the /var/log/secure file for read
(r ) access attempts. |
auditctl -k login_events |
Adds a key (login_events ) to a rule for easier
identification in logs. |
auditctl -s |
Displays the current status of the audit system (enabled/disabled, etc.). |
auditctl -F uid=1000 |
Adds a filter to audit events for a specific user ID (1000). |
auditctl -f 2 |
Configures the system to log all events related to the system’s execution. |
auditctl -r |
Allows listing rules in a more human-readable form than
-l . |
ausearch
Searchs through the audit logs generated by the audit system. It helps you find specific audit records based on various criteria like time, event type, user, or command, allowing for effective log analysis and investigation.
Command | Description |
---|---|
ausearch -m avc |
Searches for “AVC” (Access Vector Cache) denials, useful for SELinux-related events. |
ausearch -i |
Interprets audit logs into a more human-readable format. |
ausearch -ts today |
Searches for events that occurred today. |
ausearch -ts 01/24/2025 |
Searches for events that occurred on a specific date (e.g., January 24, 2025). |
ausearch -x /usr/bin/ssh |
Searches for events related to a specific executable
(ssh in this case). |
ausearch -f /etc/passwd |
Searches for events related to the /etc/passwd
file. |
ausearch -ui 1000 |
Searches for events related to user ID 1000. |
ausearch -p <pid> |
Searches for events related to a specific process ID
(pid ). |
ausearch -l |
Lists all available audit logs (can be combined with other options to refine the search). |
ausearch -k <key> |
Searches for events that match a specific key (key is
defined in auditctl rules). |
ausearch --start recent |
Searches for events that have occurred recently, typically in the last few minutes or hours. |