Stop Flying Blind on Linux Security Events: Practical auditd for Real-Time Monitoring
If you've ever wondered "who changed that config file at 3 AM?" or needed to prove exactly which process touched a sensitive binary, auditd is the tool that gives you the answers without waiting for the next integrity scan.
Unlike periodic file integrity tools that compare snapshots, the Linux Audit Framework watches events in real time as they happen—file writes, program executions, even specific syscalls. It's the foundation for many compliance frameworks and incident response workflows on Debian and Ubuntu systems.
Why auditd Matters
- Real-time visibility into privilege escalation, config drift, and unauthorized access attempts
- Low-overhead when tuned properly (rules are evaluated in kernel space)
- Integrates cleanly with journald and can forward to SIEMs
- Required for many CIS benchmarks and regulatory controls
Installation and Basic Setup on Debian/Ubuntu
sudo apt update
sudo apt install -y auditd audispd-plugins
sudo systemctl enable --now auditd
Verify it's running:
sudo auditctl -s
You should see the current status, including the number of rules loaded and the failure mode.
Configuring auditd.conf for Production
Edit /etc/audit/auditd.conf with sensible defaults:
log_file = /var/log/audit/audit.log
num_logs = 8
max_log_file = 100
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
disk_full_action = SUSPEND
admin_space_left = 50
admin_space_left_action = SUSPEND
Place the audit log on a separate partition when possible to avoid filling root.
Writing Practical Audit Rules
Use the modular rules.d/ directory and augenrules (the modern approach).
Create /etc/audit/rules.d/10-security-baseline.rules:
# Delete any existing rules
-D
# Increase buffer size for busy systems
-b 8192
# Make auditd panic on critical failure (optional, use 1 for logging only)
-f 1
# Monitor identity and authentication files
-w /etc/passwd -p wa -k identity_passwd
-w /etc/shadow -p wa -k identity_shadow
-w /etc/group -p wa -k identity_group
-w /etc/gshadow -p wa -k identity_gshadow
-w /etc/sudoers -p wa -k sudoers_changes
-w /etc/ssh/sshd_config -p wa -k ssh_config
# Monitor important binaries for execution or modification
-w /usr/bin/passwd -p x -k passwd_exec
-w /usr/bin/sudo -p x -k sudo_exec
-w /bin/su -p x -k su_exec
# Watch for changes to audit configuration itself
-w /etc/audit/ -p wa -k audit_config
# Example syscall rule: track all execve calls by non-root users
-a always,exit -F arch=b64 -S execve -F euid!=0 -k user_exec
# Load the rules
Load them:
sudo augenrules --load
sudo augenrules --check # Verify syntax
Check loaded rules:
sudo auditctl -l
Searching Logs with ausearch and aureport
The real power comes from querying:
# All events tagged with a specific key today
sudo ausearch -k identity_passwd -ts today
# Failed access attempts
sudo ausearch -m avc,user_auth,daemon_start -ts yesterday -i
# Generate a summary report
sudo aureport -k --summary
sudo aureport --auth --summary
For daily review, you can wrap these in a small script run by a systemd timer.
Performance and Operational Tips
- Start with
-b 8192and tune based onauditctl -soutput (look for lost events) - Use specific keys and avoid overly broad rules
- Forward logs centrally using
audispd-pluginsor syslog - Add
audit=1to your kernel command line so early boot events are captured - Test rules in a lab first—bad rules can generate massive log volume
Sources and Further Reading
- Red Hat Enterprise Linux Security Hardening: Auditing the system
- Neo23x0/auditd GitHub repository (excellent community rule sets)
- Linux man pages:
man auditd,man audit.rules,man augenrules - OneUptime and community guides on Ubuntu/Debian auditd configuration (2026)
This setup gives you actionable, searchable evidence the moment something important happens on your Linux systems. Start with the identity and sudo monitoring rules above—you'll be surprised how quickly they pay off during troubleshooting or audits.
Written with care for the Linux community. All examples tested on current Debian 12 and Ubuntu 24.04/25.10 releases.
Top comments (0)