auditctl

Display the [s]tatus of the audit system

$ sudo auditctl -s

$ sudo auditctl -l

$ sudo auditctl -D

$ sudo auditctl -e [1|0]

$ sudo auditctl -a always,exit -F arch=b64 -F path=/[path/to/file] -F perm=wa

$ sudo auditctl -a always,exit -F arch=b64 -F dir=/[path/to/directory]/ -F perm=wa

$ auditctl -h

auditctl [-a|-A|-b|-c|-d|-D|-f|-g|-i|-k|-l|-L|-n|-p|-q|-r|-R|-s|-S|-t|-v|-V|-w|-W] [args]

-a list,action
    Append rule to the end of the specified list (e.g., tasks, exit, user).

-A list,action
    Prepend rule to the beginning of the specified list.

-b backlog
    Set maximum audit message backlog (default 64).

-c
    Don't reload rules from /etc/audit/audit.rules on daemon restart.

-d list,action
    Delete rule matching specified list and action.

-D
    Delete all rules and watches.

-f [0|1|2]
    Set failure mode: 0=silent, 1=printk, 2=panic.

-g group
    Get group PID from given group name.

-i
    Interpret escape sequences in rule fields.

-k key|"key"
    Set filter key for rule.

-l [-R]
    List current active rules (-R resolves paths).

-L
    List all rules in loaded format.

-n
    Interpret numeric fields as numbers, not strings.

-p list
    List PIDs in specified list.

-q msgid
    Set syslog ID for audit messages.

-r rate
    Set max rate of audit messages per second.

-R file
    Read rules from specified file.

-s flag [=value]
    Get or set a kernel audit parameter (e.g., pid, rate_limit).

-S syscall
    Remove syscall rule from default list.

-t type
    Delete named watches of given type.

-v
    Print verbose messages during processing.

-V
    Print version and exit.

-w path action
    Add watch on path with permission action (e.g., rwx).

-W path action
    Watch path with exclude flag.

auditctl is a command-line tool for configuring and managing the Linux kernel's audit subsystem. It enables security administrators to load audit rules into the kernel, monitor system calls, file accesses, network events, and user actions for compliance, intrusion detection, and forensic analysis.

The tool uses netlink sockets to communicate directly with the kernel's audit module (CONFIG_AUDIT). Common tasks include adding watches on files (-w), appending rules (-a), setting parameters like failure mode (-f), and listing current rules (-l). Rules can filter by process ID, user ID, syscall, or exit status, supporting complex policies.

auditctl is typically used alongside the audit daemon (auditd), which collects logs, but it operates independently on the kernel side. It's crucial for standards like PCI-DSS, HIPAA, and FISMA, allowing real-time event logging to /var/log/audit/audit.log. Misconfiguration can impact performance due to high log volumes or rule overhead.

Requires root privileges. High rule counts can degrade performance. Rules persist across reboots only if loaded by auditd. Kernel must have audit support (CONFIG_AUDIT=y).

auditctl -l
List active rules.

auditctl -w /etc/passwd -p wa -k passwd_changes
Watch /etc/passwd for write/attribute changes.

auditctl -a always,exit -F arch=b64 -S open -k file_open
Log open syscalls on x86_64.

Developed in 2004-2005 as part of the Linux Audit project by IBM, Red Hat, and NSA for SELinux integration. Initial release in kernel 2.6.13. Enhanced in later kernels with better netlink support and syscall filtering. Widely used since audit 1.0 (2006).

auditd(8), ausearch(1), aureport(1), audit.rules(7), auditrules(7)