How to Monitor Linux File Access Using Auditd

Successfully monitoring Linux file access is a very important milestone for users or Linux administrators confined in a shared or public network setting. Linux file access monitoring helps us answer questions like Who has had access to this file within the last week? Can I get a username list of all users accessing file x? Can I know when file y is being accessed?

The set logging policies on your Linux operating system distribution should give us timely statistics regarding the system user and the period in which queried file(s) were accessed.

Auditd or Audit Daemon emulates a Linux Auditing System solely focused on the userspace component. Under the Linux operating system spectrum, anything that is labeled a daemon implies that it is a background running service/application. Therefore, Auditd comfortably runs as a background service while collecting and writing audit-associated log files.

Auditd Features

By installing and using Auditd on your Linux operating system distribution, you will be able to meet/implement the following audit-related functionalities:

  • Log of incoming and outgoing, from and to, system information.
  • Log of authenticated user events e.g. ssh.
  • Log of audit configuration files changes.
  • Log of timestamp and even information e.g. event type and outcome.
  • Log of sensitive files or database changes e.g. /etc/passwd file’s passwords.
  • Log of audit log files access attempt.
  • Log of triggered events and users responsible for it.

Install Auditd (Linux Auditing System)

Before we look at the installation steps needed to have auditd up and running on your Linux operating system distribution, make sure you meet the following requirements/prerequisites:

Reference the following auditd installation commands in regards to the Linux OS distribution you are using:

$ sudo apt install audit            [On Debian, Ubuntu and Mint]
$ sudo yum install audit            [On RHEL/CentOS/Fedora and Rocky Linux/AlmaLinux]
$ sudo emerge -a sys-process/audit  [On Gentoo Linux]
$ sudo pacman -S audit              [On Arch Linux]
$ sudo zypper install audit         [On OpenSUSE]    

Auditd (Linux Auditing System) Usage

We are now ready to configure and manage auditd for tracking security-related information on our Linux systems.

The file path /etc/audit/auditd.conf points to the main audit configuration file. Accessing the auditd.conf file requires sudoer/root user privileges.

$ sudo nano /etc/audit/auditd.conf
Auditd Configuration
Auditd Configuration

To start, enable and verify the status of auditd, we’ll use the service command in place of the systemctl command for user ID (UID) accuracy.

$ sudo service auditd start
$ sudo systemctl enable auditd
$ sudo systemctl status auditd
Check auditd Status
Check auditd Status

Defining Audit Rules in Linux

We’ll need to use the auditctl tool to add system call-related auditing rules. For instance, we can define a watch rule which monitors file access types like read, write, execute, or even check for attribute changes.

The watch rules syntax is as follows:

# auditctl -w path_to_target_file -p permissions -k key_name
Example 1: Audit on User Creation Actions

Watch (-w) the /etc/passwd file for changes associated with a write (w) and attribute (a) as set permissions (-p). Key name (-k) helps us uniquely identify the created watch rule.

$ sudo auditctl -w /etc/passwd -p wa -k user-modify

Stored logs related to auditd can be found in the file /var/log/audit/audit.log.

Let us create a Linux user to see if auditd will log the changes.

$ sudo useradd new_user

Time to check the auditd log file:

$ sudo cat /var/log/audit/audit.log | grep user-modify
Check Auditd Log File
Check Auditd Log File

The above output has some rich information like the type of command executed if the command was executed successfully, user id (uid), group id (gid), and process id (pid) used in the creation of new_user.

Example 2: Audit User actions on Directory X

The below command monitors read, write, execute, and attribute (rwxa) permissions on desktop files.

$ sudo auditctl -w /home/dnyce/Desktop -p rwxa -k desktop-modified-files

Perform some read, write, execute, and attribute (rwxa) actions on your desktop environment.

Access Desktop Files
Access Desktop Files

and check if the auditd updated its log file.

Check Auditd for File Access
Check Auditd for File Access

Persistent Audit Rules in Linux

These are watch rules (without auditctl) that persist even after the system reboot. For instance, to make the audit on user creation actions persistent, we’ll open the following file.

$ sudo nano /etc/audit/rules.d/audit.rules

and save the watch rule:

-w /etc/passwd -p wa -k user-modify
Add Persistent Audit Rules
Add Persistent Audit Rules

Finally, reload the audit daemon.

$ sudo service auditd reload

Confirm the audit rule addition by listing it:

$ sudo auditctl -l 
Check Persistent Audit Rules
Check Persistent Audit Rules

Searching Audit Logs in Linux

We can search audit logs by pointing to their key names:

$ ausearch -i -k desktop-modified-files
Search Audit Logs
Search Audit Logs

Creating Audit Reports in Linux

The generated reports can point to executable (-x) events.

$ sudo aureport -x
Create Audit Report
Create Audit Report

We now understand how easy it is to monitor Linux File Access actions both temporarily and persistently via the Auditd utility.

Got something to say? Join the discussion.

Have a question or suggestion? Please leave a comment to start the discussion. Please keep in mind that all comments are moderated and your email address will NOT be published.