Stage 3 · Build
Observability, Tracing & Security
Linux Audit Framework
Audit rules, ausearch, and compliance reporting — tracking every security-relevant event.
Audit Framework Overview
The Linux audit framework tracks security-relevant events: file access, syscall usage, authentication, and privilege escalation. It is essential for compliance (PCI-DSS, HIPAA, SOC2) and incident response.
# Check if auditd is running
sudo systemctl status auditd
# ● auditd.service - Security Audit Logging Service
# Active: active (running)
# View audit log
sudo ausearch -ts recent
# type=PROCTITLE msg=audit(1705312200.123:456): proctitle="/usr/sbin/sshd -D"
# type=USER_AUTH msg=audit(1705312200.124:457): pid=1234 uid=0 auid=1000
# type=USER_ACCT msg=audit(1705312200.125:458): pid=1234 uid=0 auid=1000auditd is the audit daemon that collects and logs audit events. Events are stored in /var/log/audit/audit.log in binary format.
Writing Audit Rules
# View current rules
sudo auditctl -l
# -w /etc/passwd -p wa -k passwd_changes
# -w /etc/shadow -p wa -k shadow_changes
# -a always,exit -F arch=b64 -S execve -k exec_log
# Watch a file for changes
sudo auditctl -w /etc/passwd -p wa -k passwd_changes
# -w = watch path
# p = permissions (r=read, w=write, x=execute, a=attribute)
# k = key (label for searching)
# Watch a directory
sudo auditctl -w /etc/ssh/ -p war -k ssh_config
# Log all sudo usage
sudo auditctl -a always,exit -F arch=b64 -S execve -F euid=0 -k sudo_usage
# Log all network connections
sudo auditctl -a always,exit -F arch=b64 -S connect -k network_connectAudit rules define what events to capture. Use -w for file watches and -a for syscall auditing. Keys help you search for related events.
Searching Audit Logs
# Search by key
sudo ausearch -k passwd_changes
# Search by time range
sudo ausearch -ts today -te now
# Search by user
sudo ausearch -ua 1000
# Search by PID
sudo ausearch -pi 1234
# Search by syscall
sudo ausearch -sc execve
# Raw output for custom parsing
sudo ausearch -k passwd_changes --raw
# Interpret results
sudo ausearch -k passwd_changes -i
# type=PATH msg=audit(1705312200.123:456): item=0 name="/etc/passwd" ...ausearch filters audit logs by key, time, user, PID, or syscall. Use -i for interpreted output and --raw for machine-readable format.
Generating Reports
# Authentication report
sudo aureport -a
# Date Time Event Success Exe auid
# 2024-01-15 10:30:00 USER_AUTH yes /usr/sbin/sshd 1000
# File access report
sudo aureport -f
# File Summary Report
# ========================================
# total file
# 234 /etc/passwd
# Login report
sudo aureport -l
# Login Report
# ========================================
# Date Time Account Host Terminal Success
# 2024-01-15 10:30:00 root 10.0.0.1 pts/0 yes
# Syscall report
sudo aureport -s --summary
# Syscall Summary Report
# ========================================
# total syscall
# 1234 execve
# 567 read
# 89 writeaureport generates summary reports from audit logs. Use it for compliance reporting and daily security summaries.
auditd Configuration
# Main config file
cat /etc/audit/auditd.conf
# log_file = /var/log/audit/audit.log
# max_log_file = 50 # MB
# num_logs = 5 # Keep 5 rotated logs
# max_log_file_action = ROTATE
# Rules file
cat /etc/audit/audit.rules
# -w /etc/passwd -p wa -k identity
# -w /etc/group -p wa -k identity
# -w /etc/shadow -p wa -k identity
# -a always,exit -F arch=b64 -S execve -k exec
# Reload rules
sudo augenrules --load
# or
sudo service auditd restartaudit.rules is read at boot. augenrules merges system and local rules. Restart auditd to apply manual changes.
Compliance Use Cases
- PCI-DSS 10.2 — Log all access to cardholder data
- HIPAA 164.312 — Log access to ePHI
- SOC2 CC6.1 — Log logical access to systems
- CIS Benchmark — Monitor file permission changes
- SOC2 CC7.2 — Monitor for anomalies
Define audit keys for each compliance requirement (pci_access, hipaa_access, etc.). This makes it easy to generate targeted reports for auditors.
Monitor /var/log/audit/ disk usage. Configure log rotation and retention in auditd.conf. Use aureport --summary to check log volume regularly.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.