Introduction

Monitoring critical system activities is essential for maintaining security, troubleshooting incidents, and ensuring compliance. Linux provides a powerful auditing framework called auditd that records system calls, file changes, command executions, and authentication activities.

In this guide, we will walk through the steps to install auditd, configure auditing rules, and monitor important system activities such as file modifications, SSH commands, and MySQL client usage.

1. Install Auditd

Install the audit daemon package.

sudo apt update
sudo apt install auditd audispd-plugins -y

Start and enable the service:

sudo systemctl enable auditd
sudo systemctl start auditd

Verify service status:

sudo systemctl status auditd

2. Verify Auditd Installation

Check whether audit rules are currently loaded.

sudo auditctl -l

If auditd is working properly, the command will display the currently active audit rules.

3. Configure Audit Rules

Audit rules define what activities should be logged. These rules are usually stored in:

/etc/audit/rules.d/

Create a custom rules file.

sudo vi /etc/audit/rules.d/custom.rules

4. Monitor File Creation and Modification

To track file activities inside important directories such as /home, /etc, /tmp, /root, and /var/www, add the following rules.

-a always,exit -F arch=b64 -S open,openat,creat,truncate,ftruncate -F dir=/home -F perm=w -k file_mod_home
-a always,exit -F arch=b64 -S open,openat,creat,truncate,ftruncate -F dir=/etc -F perm=w -k file_mod_etc
-a always,exit -F arch=b64 -S open,openat,creat,truncate,ftruncate -F dir=/tmp -F perm=w -k file_mod_tmp
-a always,exit -F arch=b64 -S open,openat,creat,truncate,ftruncate -F dir=/root -F perm=w -k file_mod_root
-a always,exit -F arch=b64 -S open,openat,creat,truncate,ftruncate -F dir=/var/www -F perm=w -k file_mod_www

These rules capture:

  • File creation
  • File modification
  • File truncation
  • File writes

5. Monitor Permission and Ownership Changes

To track permission and ownership changes:

-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -k perm_changes
-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -k owner_changes

6. Monitor SSH Command Execution

To capture commands executed through SSH sessions:

-a always,exit -F arch=b64 -S execve -k ssh_commands

This helps identify:

  • Commands executed by users
  • Script executions
  • Scheduled tasks triggered through shells

7. Monitor MySQL Client Usage

Monitor MySQL Client Usage

-a always,exit -F arch=b64 -S execve -F path=/usr/bin/mysql -k mysql_client_usage

This rule records when someone logs into MySQL using the CLI.

Example log output:

type=EXECVE msg=audit(…): argc=4 a0=mysql a1=-u a2=root a3=-p

8. Monitor MySQL Configuration Changes

Monitor MySQL Configuration Changes

-w /etc/mysql/ -p wa -k mysql_config_changes

This logs:

  • Configuration modifications
  • File attribute changes

9. Load Audit Rules

After adding rules, load them using:

sudo augenrules –load

Restart auditd:

sudo systemctl restart auditd

Verify rules:

sudo auditctl -l

10. Testing the Audit Rules

Create a test file:

touch /home/audit_test.txt

Modify it:

echo “test data” >> /home/audit_test.txt

Check logs:

ausearch -k file_mod_home -i

Example log:

type=PATH msg=audit(…): name=/home/audit_test.txt nametype=CREATE

11. Searching Audit Logs

Searching Audit Logs

/var/log/audit/audit.log

Search by key:

ausearch -k ssh_commands -i

Search by time range:

ausearch -k ssh_commands -ts 03/05/26 10:00:00 -te 03/05/26 10:30:00 -i

12. Audit Log Retention

Audit log rotation is controlled by:

/etc/audit/auditd.conf

Example configuration:

max_log_file = 100
num_logs = 7
max_log_file_action = ROTATE

This means:

  • Each log file = 100 MB
  • Maximum rotated logs = 7
  • Total storage ≈ 700 MB

Older logs are automatically rotated when the limit is reached.

Conclusion

Auditd provides a powerful way to monitor system activity and improve server security. By implementing targeted audit rules, administrators can track file changes, command executions, authentication events, and database access. Proper configuration and log monitoring can significantly improve incident investigation and compliance visibility.

Post Views: 1

Leave a Reply

This website stores cookies on your computer. These cookies are used to provide a more personalized experience and to track your whereabouts around our website in compliance with the European General Data Protection Regulation. If you decide to to opt-out of any future tracking, a cookie will be setup in your browser to remember this choice for one year.

Accept or Deny