auditctl

ChatGPT

2025-01-24

auditctl

Configures and manages the Linux audit system. It allows the user to set audit rules, such as monitoring specific files, directories, or system calls, to track security-relevant events on the system.Here’s a table of some relevant auditctl commands that are commonly used for configuring the audit system in Linux:

Command Description
auditctl -l Lists all current audit rules.
auditctl -A never,exit -F dir=/home/user Disables auditing for specific directory or file path (e.g., /home/user).
auditctl -D Deletes all audit rules currently configured.
auditctl -w /etc/passwd -p wa Watches the /etc/passwd file for write and attribute change events.
auditctl -W /var/log/secure -p r Removes the watch on the /var/log/secure file for read (r) access attempts.
auditctl -k login_events Adds a key (login_events) to a rule for easier identification in logs.
auditctl -s Displays the current status of the audit system (enabled/disabled, etc.).
auditctl -F uid=1000 Adds a filter to audit events for a specific user ID (1000).
auditctl -f 2 Configures the system to log all events related to the system’s execution.
auditctl -r Allows listing rules in a more human-readable form than -l.

ausearch

Searchs through the audit logs generated by the audit system. It helps you find specific audit records based on various criteria like time, event type, user, or command, allowing for effective log analysis and investigation.

Command Description
ausearch -m avc Searches for “AVC” (Access Vector Cache) denials, useful for SELinux-related events.
ausearch -i Interprets audit logs into a more human-readable format.
ausearch -ts today Searches for events that occurred today.
ausearch -ts 01/24/2025 Searches for events that occurred on a specific date (e.g., January 24, 2025).
ausearch -x /usr/bin/ssh Searches for events related to a specific executable (ssh in this case).
ausearch -f /etc/passwd Searches for events related to the /etc/passwd file.
ausearch -ui 1000 Searches for events related to user ID 1000.
ausearch -p <pid> Searches for events related to a specific process ID (pid).
ausearch -l Lists all available audit logs (can be combined with other options to refine the search).
ausearch -k <key> Searches for events that match a specific key (key is defined in auditctl rules).
ausearch --start recent Searches for events that have occurred recently, typically in the last few minutes or hours.