Member-only story
How I Use auditd to Catch Hidden Changes on My Linux Server
--
Share
Sometimes attackers donβt crash your system. They change just one file, set one cron job, or create one backdoor user β and wait.
Thatβs why I rely on auditd: a powerful, built-in Linux tool that logs exactly what changes, who changed it, and when.
In this blog, Iβll show you how I use auditd to detect shady behavior on both Ubuntu and Red Hat-based systems.
π§ What is auditd?
auditd (the audit daemon) is part of the Linux Auditing System. It can monitor:
- File reads/writes
- Permission changes
- User logins
- Process executions
- Configuration changes
It logs to /var/log/audit/audit.log β separate from /var/log/syslog.
β Step 1: Install and Enable auditd
Ubuntu:
sudo apt install auditd audispd-plugins
Red Hat:
sudo yum install audit
Enable and start:
sudo systemctl enable auditd --now
Top comments (0)
Some comments may only be visible to logged-in visitors. Sign in to view all comments.