Set Up Linux System Auditing with auditd
This guide outlines the basic steps for configuring auditd on a Linux system and creating a custom rule to track file deletions in a target directory. Since exact procedures can vary by distribution, additional system-specific resources found elsewhere online may be helpful for more detailed setup and troubleshooting. The instructions in this guide were primarily tested on Amazon Linux 2023 running kernel 6.1.161-183.298.amzn2023.x86_64 on x86_64 architecture.
STEP 1: Install auditd
By default, auditd or audit packages will be installed on most Linux systems, but if not, you can install it using one of the following commands below:
Debian/Ubuntu:
sudo apt install auditd
RHEL/CentOS/Amazon Linux
sudo yum install audit
Newer RHEL/CentOS/Amazon Linux systems:
sudo dnf install audit
STEP 2: Enable and start auditd
auditd will need to be enabled and started with the following two commands:
sudo systemctl enable auditd
sudo systemctl start auditd
The next command should be used to verify status. The enabled field in the command output corresponds to the -e setting: 0 = disabled, 1 = enabled, 2 = enabled and locked until reboot.
sudo auditctl -s
STEP 3: Add in a custom auditing rule
To create non-persistent rules:
With the auditctl tool, you can add any custom auditing rules on any system call you want.
In general, there are two types of rules for auditing, file system rules and system call rules. There are resources online that you can find to have more details on the differences and use cases. Here is one: https://linux.die.net/man/7/audit.rules
For simplicity, an example command to add a rule to monitor file deletions in a directory will be provided below, so you can try it out yourself.
sudo auditctl -a always,exit -F arch=b64 -S unlink,unlinkat -F dir=/home/ec2-user/ExampleDirectory -k file_deletion
This rule is a non-persistent rule that will be deleted upon a reboot and can be modified for your testing.
Additionally, you will need to run the following commands to ensure syscall auditing is enabled for the example rule provided to work.
To see what rules are currently loaded, run the following command:
sudo auditctl -l
If the output of the above command contains -a never,task, this rule needs to be deleted to enabled syscall auditing. On some systems, -a never,task rule is added by default in packaged sample rules or old configs. To delete the rule, run the following command:
sudo auditctl -d never,task
If the -a never,task rule is defined in the /etc/audit/rules.d/audit.rules file, the rule will come back after a reboot. If you do not want this rule to persist, see the next section below on persistent rules.
To create persistent rules:
To make auditing rules persistent across reboots, add them to the /etc/audit/rules.d/audit.rules file by opening with your preferred text editor.
This file contains auditctl commands as entered in command line, but without the auditctl command in front:
-a always,exit -F arch=b64 -S unlink,unlinkat -F dir=/home/ec2-user/ExampleDirectory -k file_deletion
As you are editing the audit.rules file, you will need to comment out this default rule, if present, to enable syscall auditing, which will persist across reboots.
## -a task,never
After making changes or creating a new persistent rule, the rules need to be loaded with the following command:
sudo augenrules --load
STEP 4: Verify rules are loaded
To verify what rules are currently loaded, run the following command:
sudo auditctl -l
STEP 5: Test your rule
To test the file-deletion rule created in step 3, create and delete a file within the specified directory and run the following command:
sudo ausearch -k file_deletion -ts today -i
This will show date/time of file deletions for today as well as what user/process and PIDs deleted it. Be sure to change the key used for the search to whichever key was specified when creating your custom rule.
If you created a custom rule, you will need to perform a test that will be tracked by your custom rule and edit the ausearch command. Here is a useful resource found online for ausearch: https://man7.org/linux/man-pages/man8/ausearch.8.html
Additional Notes
Depending on the permissions assigned to the Linux user, ausearch may be runnable without sudo. If the user does need sudo, permissions need to be updated to allow running specific passwordless sudo-ed commands. Passwordless is required because IguanaX does not allow entering a password for commands that trigger a password prompt. The preferred approach is to grant passwordless sudo only for the exact ausearch command(s) that is required, rather than giving the user broad passwordless administrative access.
A common way to do this is to create a dedicated sudoers drop-in file under /etc/sudoers.d/ instead of editing /etc/sudoers directly. This keeps custom permission changes separate and makes future maintenance easier. For example, you can create a file for ausearch permissions by running:
sudo visudo -f /etc/sudoers.d/ausearch
Then add a rule like this:
ec2-user ALL=(ALL) NOPASSWD: /usr/sbin/ausearch -k file_deletion -ts today -m SYSCALL -i
This example rule allows the ec2-user to run that specific ausearch command with sudo and without being prompted for a password. You will need to modify this rule for the ausearch command you intend to run.
To emphasize further, it is recommended to grant access only to the specific command or commands that are needed, rather than allowing passwordless sudo for all commands for a user.