Use Cases


Watching file access

Monitoring system calls

Recording commands run by a user

Monitoring network access
    The iptables and ebtables utilities can be configured to trigger Audit events


Summary Report



Summary Report
Range of time in logs: 02/13/2017 17:30:15.545 - 09/19/2017 17:07:16.241
Selected time for report: 02/13/2017 17:30:15 - 09/19/2017 17:07:16.241
Number of changes in configuration: 1870
Number of changes to accounts, groups, or roles: 44
Number of logins: 43
Number of failed logins: 3
Number of authentications: 89
Number of failed authentications: 32
Number of users: 2




audisp — the Audit dispatcher daemon interacts with the Audit daemon and sends events to other applications for further processing. The purpose of this daemon is to provide a plug-in mechanism so that real-time analytical programs can interact with Audit events.

auditctl — the Audit control utility interacts with the kernel Audit component to manage rules and to control a number of settings and parameters of the event generation process.




# Default installed by on Red Hat Enterprise Linux 7

yum install audit

# Rule File


# Configure File



systemctl enable auditd

service auditd start

# Rotates the log files in the /var/log/audit/ directory.

service auditd rotate

Stop auditd

service auditd stop; systemctl disable auditd




local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = root
log_format = RAW

# log

# Specifies the maximum size of a single Audit log file (Mbyte)
max_log_file = 8
num_logs = 5
max_log_file_action = ROTATE

# how many records can be sent to the disk before forcing a hard synchronization with the hard drive

freq = 50

More about configure

# specifies whether or not to include local events.
# "no" is when you want to aggregate events only from the network.

local_events = yes

# RAW: stored in a format exactly as the kernel sends it
# ENRICHED: will resolve all uid, gid, syscall, architecture, and socket address information before writing the event to disk.

log_format = RAW

# "ps axl | grep auditd" 會見到 -4


# Dispatcher

The dispatcher is a program that is started by the audit daemon when it starts up.
It will pass a copy of all audit events to that application's stdin.

There is a 128k buffer between the audit daemon and dispatcher.
lossy: incoming events going to the dispatcher are discarded when this queue is full.
(Events are still written to disk if log_format is not nolog.)
lossless: auditd daemon will wait for the queue to have an empty spot before logging to disk.

disp_qos = lossy
dispatcher = /sbin/audispd




auditctl -s

enabled 1
failure 1
pid 582
rate_limit 0
backlog_limit 64
lost 0
backlog 0
loginuid_immutable 0 unlocked

# List  all  rules

auditctl -l

No rules

# deletes all currently loaded Audit rules

auditctl -D


Defining File System Rules

auditctl -w path_to_file -p permissions -k key_name

    r — read access to a file or a directory.
    w — write access to a file or a directory.
    x — execute access to a file or a directory.
    a — change in the file's or directory's attribute.


auditctl -w /etc/passwd -p wa -k passwd_changes

auditctl -w /root/login/ -p rwa -k Login_PW_File

-w path

Insert a watch for the file system object at path.

  * Wildcards are not supported

加入 rule 後, 會有 log

type=CONFIG_CHANGE msg=audit(1505813953.234:146): auid=0 ses=2 op=add_rule key="Login_PW_File" list=4 res=1

當有 access

type=SYSCALL msg=audit(1505814134.528:154): 
     arch=c000003e syscall=2 success=yes exit=3 a0=7ffe4e40234c a1=0 a2=1fffffffffff0000 a3=7ffe4e401520 
     items=1 ppid=1958 pid=2013 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="cat" exe="/usr/bin/cat" key="Login_PW_File"
type=CWD msg=audit(1505814134.528:154):  cwd="/root"
type=PATH msg=audit(1505814134.528:154): item=0 name="/root/login/seafile.txt" inode=1092069 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL
type=PROCTITLE msg=audit(1505814134.528:154): proctitle=636174002F726F6F742F6C6F67696E2F73656166696C652E747874

Record Type

First Record


this record was triggered by a system call to the kernel.

Second Record


This type is used to record the working directory from which the process that invoked the system call specified in the first record was executed.

Third Record


PATH-type record for every path that is passed to the system call as an argument.


Defining Executable File Rules

auditctl  -a action,filter [ -F arch=cpu -S system_call] -F exe=path_to_executable_file -k key_name

-a list,action              # Append rule to the end of list with action


task - Add a rule to the per task list. This rule list is used only at the time  a  task  is created

         when  fork()  or  clone() are called by the parent task.

exclude - Add  a  rule  to  the  event  type exclusion filter list.

              (This list is used to filter events that you do not want to see)


  • always
  • never

-F field=value

additional options that further modify the rule to match events based on a specified architecture, group ID, process ID, and others.

-S system_call

A list of all system calls can be found in the /usr/include/asm/unistd_64.h


auditctl -F exe=/bin/id -S execve -k execution_bin_id



/etc/audit/rules.d/* --> audit.rules

The files in this directory are organized into groups with following meanings:

    10 - Kernel and auditctl configuration
    20 - Rules that could match general rules but you want a different match
    30 - Main rules
    40 - Optional rules
    50 - Server-specific rules
    70 - System local rules
    90 - Finalize (immutable)

Once you have the rules in the rules.d directory, you can load then by running

# test if rules have changed and need updating without overwriting audit.rules

augenrules --check

# load old or newly built rules into the kernel

augenrules --load

Preconfigured Rules Files

ls -1 /usr/share/doc/audit*/rules/