Member-only story
How I Use auditd to Catch Hidden Changes on My Linux Server
--
Share
Sometimes attackers don’t crash your system. They change just one file, set one cron job, or create one backdoor user — and wait.
That’s why I rely on auditd: a powerful, built-in Linux tool that logs exactly what changes, who changed it, and when.
In this blog, I’ll show you how I use auditd to detect shady behavior on both Ubuntu and Red Hat-based systems.
🔧 What is auditd?
auditd (the audit daemon) is part of the Linux Auditing System. It can monitor:
- File reads/writes
- Permission changes
- User logins
- Process executions
- Configuration changes
It logs to /var/log/audit/audit.log — separate from /var/log/syslog.
✅ Step 1: Install and Enable auditd
Ubuntu:
sudo apt install auditd audispd-plugins
Red Hat:
sudo yum install audit
Enable and start:
sudo systemctl enable auditd --now
Top comments (0)
Some comments may only be visible to logged-in visitors. Sign in to view all comments.