Auditd Tool for Security Auditing on Linux Server
Last Updated :
01 Dec, 2022
Auditd is short for Linux Audit Daemon which is a tool in Linux used for the process of collecting and writing the audit log files of the system. The term "daemon" is used for the processes which run in the background of service in work, this means that this tool is continuously operating behind the scenes.
Below given are some important features of the Auditd system:
- It is a very self-reliant tool that does not depend on the help of external programs.
- It is Highly configurable allowing us to see a wide range of system operations.
- Any potential threats can also be detected with the help of this tool.
- It can work in Sync with the other intrusion detection system to find out about intruders.
- forensic audits also rely on this tool.
Note: We are using the OS as a root user so we are not writing sudo everywhere.
Installing Auditd on the system:
This tool can be installed by using the apt-get or the wajig facility which are both used for downloading packages on Linux. For the purpose of demonstration let us search and see what the result for the search audits comes:
wajig search auditd
It says user space tools for security auditing. This is the same thing that we discussed in the intro section.
Use the below command to install auditd on your system:
apt-get install auditd
Confirm whether it is installed successfully or not:
auditctl -l
If a message like this is obtained then auditd is successfully installed. Currently, it is saying ''No Rules'', let us understand that in the next section.
Understanding How Auditd works:
Understanding audit files and access to directories:
The most trivial thing that can be done with the help of Auditd is to be informed when someone alters a file or a directory. But how can we find that? Use the below command to do the same:
auditctl -w /etc/passwd -p rwxa
Understanding the flags used:
- -w flag ---> Inserts a watch for a filesystem object in the path.
- -p flag ----> This defines the type of permission access to the filesystem.
- rwxa ----> These are the read, write, and execute attributes that are bonded to the -p flag.
Auditing directories:
Let us create a sample directory by the name of tempdir for the purpose of auditing it. Use the below command to audit this directory:
auditctl -w /tempdir/
With the help of the above command, the auditd tool will keep a watch over the access of this directory. Let us try to write auditctl -l command once again:
auditctl -l
You can see that previously the message said "No Rules", but now there are some new rules added.
Viewing the Logs which are created:
After the creation of some rules, we can see the logs with the help of the auditd tool. Auditd provides a special tool for this which is called ausearch. To view the logs type the below command:
ausearch -f /etc/passwd
To see the audit logs of the tempdir write the below command, the audit log files are stored in the /var/log/audit/audit.log path.
tail -5 /var/log/audit/audit.log
You can see the audit logs of the tempdir that we created.
Viewing the audit reports which are created:
Auditd also provides us with a tool for keeping a track of all our audit logs and changes. The name of this tool is aureport. This tool gives us a complete summary of all the reports from the audit log. Use the below command to get audit reports:
aureport
We can use this command with the -au flag to see which users were unable to attempt a successful login.
aureport -au
No indicates a failed attempt to login.
To see the complete details about all the modifications we can use the aureport command with the -m flag.
aureport -m
The Auditd configuration file:
To see the Auditd config file type the below command:
vi /etc/audit/rules.d/audit.rules
Till now we have created a couple of rules, if we want to make them permanent then we can add those rules in this config file. Add your created rules and save the file:
After permanently adding the rules in the file and saving it restart the auditd daemon for those changes to take effect.
service auditd restart
So this way you can audit the log files and directories in your system, there are a lot more options in Auditd but discussing all of them is not possible, if you want to quench your curiosity then you can read and find more about auditd in its manual page.
Similar Reads
Lynis - Security Tool for Audit and Hardening Linux Systems
Lynis is an open-source security auditing tool for UNIX derivatives like Linux, Mac OS, BSD, other Unix-based operating systems etc. Performing extensive health scan of systems that support System Hardening and Compliance Testing. An open-source software with GPL License. This tool also scans for ge
11 min read
Tiger – The Unix Security Audit and Intrusion Detection Tool
Tiger is a tool that comes with multiple uses, we can use it for security audits as well as for Intrusion Detection also. It is available for free under a GPL license. this tool supports multiple Unix platforms and is written entirely in Shell language. it is a package consisting of Bourne Shell scr
4 min read
How to Secure Your Linux Server with Fail2ban?
If you are a System Administrator or Developer, it is your key responsibility to secure the Linux Server. For that purpose, you can use one of the most effective tools which is Fail2ban for Linux Server.If you can Secure Linux Server with Fail2ban, you can easily manage all kinds of external threats
5 min read
Pureblood - Information Gathering and Security Auditing Tool
Information Collection about the target host is all about collecting or gathering the information of the internal structure of the target domain, which can help the testers perform a vulnerability assessment. Pureblood is an automated script that can be beneficial to penetration testers in the proce
4 min read
Top 10 Linux Server Security Tips
There are many tools and methodologies to safeguard servers from illegal access and other cyber threats. It is essential for system administrators and cyber-security teams to secure the servers correctly. Most users consider Linux a great system to have a highly secure system. To keep your servers f
8 min read
Linux Security Command Cheat Sheet
Maintaining a secure and hardened Linux system is crucial in today's threat-laden digital landscape. This comprehensive Linux Security Command Cheat Sheet serves as an invaluable resource for system administrators and security professionals, providing a concise reference to essential commands spanni
7 min read
Linux SSH Server (sshd) Configuration and Security Options With Examples
SSH is short for Secure Shell or Secure Socket shell. According to Wikipedia, the Secure Shell Protocol is a cryptographic network protocol for operating network services securely over an unsecured network. sshd is short for Secure shell daemon. SSH is one of the most reliable ways that you can choo
3 min read
How to Audit Linux Process Using ‘autrace’ on CentOS/RHEL
Autrace is a command line tool that is used for the purpose of auditing processes on Linux. The audit rules which are created by autrace are stored in the /var/www/audit/audit.log file. Before autrace can work perfectly all the previous audit logs must be deleted. The syntax of autrace is given belo
3 min read
Ashok - Osint Recon Tool in Kali Linux
Ashok is a free and open-source tool available on GitHub. Ashok is used for information gathering. Ashok is used to scan websites for information gathering and finding vulnerabilities in websites and webapps. Ashok is one of the easiest and useful tools for performing reconnaissance on websites and
5 min read
Dmitry - Passive Information Gathering Tool in Kali Linux
Dmitry is a free and open-source tool available on GitHub. The tool is used for information gathering. You can download the tool and install in your Kali Linux. Dmitry stands for DeepMagic Information Gathering Tool. It's a command-line tool Using Dmitry tool You can collect information about the ta
4 min read