auditd Command in Linux
auditd is a Linux command-line tool and a daemon that allows you to monitor and record system activities on your system. This command captures detailed information about events like file access, user actions and system calls. This information is logged for further analysis, thus helping the administrators to track security-related events and ensure compliance.
The auditd daemon is a part of the Linux auditing system that provides a framework for auditing and logging. Administrators can define specific rules using the auditctl command to specify which events to monitor. These rules can be adjusted to capture a wide range of activities, from login attempts to changes in critical files.
Table of Contents
Here is a comprehensive guide to the options available with the auditd command in linux −
- Installing auditd in Linux
- Managing auditd in Linux
- Syntax of auditd
- auditd Command Options
- Signals Used by auditd
- Exit Codes Used by auditd
- Files Used by auditd
- Examples of auditd in Linux
Installing auditd in Linux
By default, auditd is not installed on most Linux distributions. However, its installation is straightforward and can be done using the default systems package manager −
For Debian-based systems like Ubuntu, use −
sudo apt install auditd
For Red Hat-based systems like CentOS, Fedora, or RHEL, run −
sudo dnf install audit
On Arch Linux system, simply execute −
sudo pacman -S audit
On an OpenSUSE system, you can install auditd with the following command −
sudo zypper install audit
Managing auditd Command in Linux
After installing auditd, you need to set it up on your Linux system. This involves starting and enabling the audit daemon.
To start audit daemon on Linux, run the below-given command −
sudo systemctl start auditd
Once the audit daemon is running, enable it to start automatically at boot with the following command −
sudo systemctl enable auditd
To check the status of the audit daemon, you can run −
sudo systemctl status auditd
This will set up the audit daemon on your system.
Syntax of auditd Command
The basic syntax for auditd command on Linux is as follows −
auditd [options]
Where,
- auditd is the command used to start the audit daemon, which is responsible for writing audit records to the disk.
- [options] are additional flags you can use to modify the behavior of the audit daemon.
auditd Command Options
With auditd, there are different options that you can use, which are described in the table provided below −
| Option | Description |
|---|---|
| -f | Runs the audit daemon in the foreground, which can be useful for debugging. |
| -l | Enables logging to syslog, and allows you to integrate audit logs with system logs. |
| -n | Prevents the daemon from running in the background, and keeps it in the foreground. |
| -s | Sets the state of the audit daemon to either disable, enable, or no change. |
| -c | Specifies an alternate configuration directory for the audit daemon. |
Signals Used by auditd in Linux
The auditd daemon in Linux uses several signals to manage its behavior. Here are the key signals and their functions −
| Signal | Description |
|---|---|
| SIGHUP | Causes auditd to re-read its configuration file and implement changes if there are no syntax errors. Logs a DAEMON_CONFIG event upon successful reconfiguration. |
| SIGTERM | Instructs daemon to stop processing audit events, write a shutdown audit event, and then exit. |
| SIGUSR1 | Triggers an immediate log rotation. auditd checks the max_log_file_action setting to determine whether to keep or delete old logs. |
| SIGUSR2 | Attempts to resume logging and passing events to plugins, useful if logging has been suspended or the internal queue has overflowed. |
| SIGCONT | Causes daemon to dump a report of its internal state to /var/run/auditd.state |
Exit Codes Used by auditd Command
The auditd daemon in Linux uses several exit codes to indicate different states or errors. Here are the key exit codes and their description −
| Exit Code | Description |
|---|---|
| 1 | Indicates issues with initialization tasks such as adjusting priority, daemonizing, opening audit netlink, writing the PID file, starting up plugins, resolving the machine name, or setting the audit PID. |
| 2 | Signifies that there are invalid or too many command line arguments provided. |
| 4 | Means that the audit daemon does not have sufficient privileges to operate. |
| 6 | Points to an error in the configuration file. |
Files Used by auditd in Linux
The auditd daemon in Linux uses several important files for its configuration and operation. Here are the key files −
| Option | Description |
|---|---|
| /etc/audit/auditd.conf | Configuration file for the audit daemon, specifying how and where to log events. |
| /etc/audit/audit.rules | File containing audit rules to be loaded at startup. |
| /etc/audit/rules.d/ | Directory holding individual sets of rules, which are compiled into one file by augenrules. |
| /etc/audit/plugins.d/ | Directory containing configuration files for audit plugins. |
| /etc/audit/audit-stop | Rules loaded when the audit daemon stops. |
| /var/run/auditd.state | File that reports the internal state of the audit daemon. |
Examples of auditd in Linux
Lets discuss some examples of audit in Linux system −
- Run the audit Daemon in the Foreground
- Prevent the Daemon from Running in the Background
- Set the State of audit Daemon
- Specify an Alternate Configuration
Run the audit Daemon in the Foreground
You can run the audit daemon in the foreground by using the -f option, the command is provided below −
auditd -f
Prevent the Daemon from Running in the Background
To prevent the audit daemon from running in the background, use the following command −
auditd -n
Set the State of the audit Daemon
You can also set the state of the audit daemon to enable, disable, or no change by using the -s option with the command. For example, to enable the audit daemon, you can use the below-given command −
auditd -s enable
Specify an Alternate Configuration Directory
If you want to specify an alternate configuration directory for the audit daemon, you can use the following command −
auditd -c /path/to/alternate/config
Replace /path/to/alternate/config with the path to your alternate configuration directory.
Conclusion
The auditd is a powerful Linux daemon used for monitoring and recording system activities and capturing detailed information about various events.
In this tutorial, we explained how to install and manage