What it is
The auditctl command is used to control the Linux Audit Daemon (auditd), allowing you to define rules for what system events should be logged and how. You reach for it when you need to track specific security-relevant actions on your system, like file access, system calls, or user logins.
Installation
Linux:
The audit daemon and auditctl are typically part of the audit package, which is often pre-installed on many distributions. If not, you can install it using your package manager:
- Debian/Ubuntu:
sudo apt update sudo apt install auditd audispd-plugins - RHEL/CentOS/Fedora:
sudo yum install audit # or sudo dnf install audit
Mac/Windows:
auditctl is a Linux-specific tool. There is no direct equivalent or installation method for macOS or Windows. For security auditing on these platforms, you would use their native tools (e.g., macOS’s unified logging, Windows Event Viewer and security policies).
Core Concepts
- Rules: The heart of the audit system. Rules define what events to watch for. There are several types of rules:
- File System Rules (watch rules): Monitor access to specific files or directories.
- System Call Rules: Monitor the execution of specific system calls.
- Exit Rules: Trigger actions based on the success or failure of system calls.
- User-Defined Rules: Custom rules for specific scenarios.
- Audit Daemon (
auditd): The background service that collects events based on the rules defined byauditctl. - Audit Log (
/var/log/audit/audit.log): Whereauditdwrites the collected events. - Audit Event: A record of a specific system activity that matches an audit rule. Events can be composed of multiple records (e.g., a system call rule might generate a syscall record and an execve record).
- Fields: Each audit event record contains various fields providing context (e.g.,
type,pid,uid,gid,syscall,exe,comm,key,arch).
Commands / Usage
Managing Rules
-
Add a watch rule for a file:
sudo auditctl -w /etc/passwd -p rwa -k passwd_changesWatch
/etc/passwdfor read, write, and attribute changes, and label these events with the keypasswd_changes. -
Add a watch rule for a directory (recursive):
sudo auditctl -w /var/www/html/ -p r -k web_readWatch the
/var/www/html/directory and all its contents for read access, labeling events withweb_read. -
Add a system call rule (all occurrences):
sudo auditctl -a always,exit -F arch=b64 -S openat -k file_openLog all successful (
exit) executions of theopenatsystem call for 64-bit architectures (b64), labeling events withfile_open. -
Add a system call rule (specific user ID):
sudo auditctl -a always,exit -F arch=b64 -S execve -F uid=1000 -k user_execLog all successful executions of the
execvesystem call for user ID1000on 64-bit systems, labeling events withuser_exec. -
Add a system call rule (specific executable):
sudo auditctl -a always,exit -F arch=b64 -S execve -F exe=/usr/bin/sudo -k sudo_executionLog all successful executions of the
execvesystem call for the/usr/bin/sudoexecutable on 64-bit systems, labeling events withsudo_execution. -
Add a rule for a specific syscall number (e.g.,
chmodis syscall 90 on x86_64):sudo auditctl -a always,exit -F arch=b64 -S 90 -k chmod_syscallLog all successful
chmodsystem calls (syscall number 90) for 64-bit architectures, labeling events withchmod_syscall. -
Add a rule for a specific message type (e.g., USER_AUTH):
sudo auditctl -a always,exit -F msgtype=USER_AUTH -k user_loginLog all events of type
USER_AUTH(user authentication), labeling them withuser_login. -
Add a rule for a specific audit event type (e.g.,
SYSCALL):sudo auditctl -a always,exit -F audit=1300 -k syscall_eventLog all events of type
SYSCALL(audit event code 1300), labeling them withsyscall_event. -
Remove a specific rule by its number: First, list rules with numbers:
sudo auditctl -lThen, remove a rule (e.g., rule number 5):
sudo auditctl -d 5Delete rule number 5.
-
Remove all rules:
sudo auditctl -DDelete all current audit rules.
-
Delete all watch rules:
sudo auditctl -d -wDelete all currently active watch rules.
-
Delete all syscall rules:
sudo auditctl -d -aDelete all currently active audit rules defined with
-a.
Viewing Rules and Status
-
List all currently loaded rules:
sudo auditctl -lDisplay the active audit rules.
-
List all watch rules:
sudo auditctl -l -wDisplay only the active watch rules.
-
List all syscall rules:
sudo auditctl -l -aDisplay only the active system call rules.
-
Get the current status of the audit daemon:
sudo auditctl -sShow if the audit daemon is enabled, disabled, or orphaned, and its current backlog limit.
Controlling the Daemon
-
Enable the audit daemon:
sudo auditctl -e 1Enable auditing. This is equivalent to
auditctl -e ENABLE. -
Disable the audit daemon:
sudo auditctl -e 2Disable auditing. This is equivalent to
auditctl -e DISABLE. -
Set the backlog limit:
sudo auditctl -b 8192Set the kernel’s audit event backlog queue size to 8192 events.
Rule Options and Fields
-
Permissions for watch rules (
-p):r: Readw: Writex: Executea: Attribute change (e.g.,chmod,chown)
-
Action for syscall rules (
-aor-A):always,exit: Log the event when it exits (success or failure).never: Never log this event.always,never: Log the event when it enters and when it exits.
-
Architecture (
-F arch=):b32: 32-bitb64: 64-bits32: Native 32-bit (e.g. on a 64-bit system)ia32: Intel 32-bit
-
System Call Name (
-S):execveopenatchmodunlinkconnect- (Many others - consult
man 2 syscallsfor your architecture)
-
File System Object (
-w): Path to a file or directory. -
Key (
-k): A user-defined string to label events, making them easier to search in logs. -
User ID (
-F uid=):0: Root user1000: A specific user ID
-
Group ID (
-F gid=):0: Root group100: A specific group ID
-
Executable Path (
-F exe=): Path to the executable file. -
Message Type (
-F msgtype=):USER_AUTHCRED_DISPSYSCALL- (Many others - consult
ausearch -m help)
-
Audit Event Type (
-F audit=):1300(SYSCALL)1302(SQW)1303(IPC)1304(MQ)1305(FD_MSG)1306(MSG)1307(RTMSG)1308(RECVMSG)1309(SEMOP)1310(FCFG)1311(TTY)1312(NET_MSG)1313(NET_PKT)1314(NET_ATALK)1315(NET_IPX)1316(NET_ROSE)1317(NET_DECnet)1318(NET_ Tugas)1319(NET_AX25)1320(NET_X25)1321(NET_IRDA)1322(NET_CORE)1323(NET_ETHER)1324(NET_AX25)1325(NET_IPX)1326(NET_APPLETALK)1327(NET_ECONET)1328(NET_LLC)1329(NET_LAPB)1330(NET_LL_BP)1331(NET_RI)1332(NET_SNA)1333(NET_IP)1334(NET_IPV6)1335(NET_ICMP)1336(NET_ICMPV6)1337(NET_TCP)1338(NET_UDP)1339(NET_UDPLITE)1340(NET_SCTP)1341(NET_ Tugas)1342(NET_RAW)1343(NET_PACKET)1344(KDUMP_NOTIFY)1345(PROCTITLE)1346(MMAP_PAGE_REMAP)1347(TRIM)1348(AVCBIND)1349(AVCOPEN)1350(AVCCLOSE)1351(AVCSTAT)1352(AVCSTATFS)1353(AVCNAMEI)1354(AVCPERM)1355(AVCSOCKOPT)1356(AVCGETPEERSEC)1357(AVCGETSOCKSEC)1358(AVCSETPEERSEC)1359(AVCSETSOCKSEC)1360(AVCQUOTACTL)1361(AVCSYSACCT)1362(AVC_SYSCALL)1363(AVC_SETTIME)1364(AVC_SETTIME64)1365(AVC_MSG)1366(AVC_READDIR)1367(AVC_READLINK)1368(AVC_READ)1369(AVC_READV)1370(AVC_RECVFROM)1371(AVC_RECVMSG)1372(AVC_RECV)1373(AVC_RECVMSC)1374(AVC_RECVMM)1375(AVC_ACCEPT)1376(AVC_BIND)1377(AVC_CONNECT)1378(AVC_GETPEERNAME)1379(AVC_GETSOCKNAME)1380(AVC_GETSOCKOPT)1381(AVC_LISTEN)1382(AVC_RECVMSG)1383(AVC_RECV)1384(AVC_SENDMSG)1385(AVC_SENDTO)1386(AVC_SEND)1387(AVC_SENDMSC)1388(AVC_SENDMM)1389(AVC_SETPEERCRED)1390(AVC_SETSOCKOPT)1391(AVC_SHUTDOWN)1392(AVC_SOCKET)1393(AVC_ACCEPT4)1394(AVC_BIND)1395(AVC_CONNECT)1396(AVC_GETPEERNAME)1397(AVC_GETSOCKNAME)1398(AVC_GETSOCKOPT)1399(AVC_LISTEN)1400(AVC_RECVMSG)1401(AVC_RECV)1402(AVC_SENDMSG)1403(AVC_SENDTO)1404(AVC_SEND)1405(AVC_SENDMSC)1406(AVC_SENDMM)1407(AVC_SETPEERCRED)1408(AVC_SETSOCKOPT)1409(AVC_SHUTDOWN)1410(AVC_SOCKET)1411(AVC_RENAME)1412(AVC_UNLINK)1413(AVC_UNLINKAT)1414(AVC_LINK)1415(AVC_SYMLINK)1416(AVC_SYMLINKAT)1417(AVC_MKNOD)1418(AVC_MKDIR)1419(AVC_MKDIRAT)1420(AVC_RMDIR)1421(AVC_RMDIRAT)1422(AVC_CREAT)1423(AVC_OPEN)1424(AVC_OPENAT)1425(AVC_TRUNCATE)1426(AVC_TRUNCATE64)1427(AVC_UTIME)1428(AVC_UTIME64)1429(AVC_UTIMENSAT)1430(AVC_CHMOD)1431(AVC_CHOWN)1432(AVC_CHOWN32)1433(AVC_FCHMOD)1434(AVC_FCHMODAT)1435(AVC_FCHOWN)1436(AVC_FCHOWNAT)1437(AVC_FSTAT)1438(AVC_FSTAT64)1439(AVC_FSTATAT64)1440(AVC_STAT)1441(AVC_STAT64)1442(AVC_STATFS)1443(AVC_STATFS64)1444(AVC_LSTAT)1445(AVC_LSTAT64)1446(AVC_GETATTR)1447(AVC_GETFH)1448(AVC_GETXATTR)1449(AVC_SETXATTR)1450(AVC_LISTXATTR)1451(AVC_REMOVEXATTR)1452(AVC_GETRLIMIT)1453(AVC_SETRLIMIT)1454(AVC_MMAP_CHECK)1455(AVC_MMAP_PERM)1456(AVC_MMAP_FILE)1457(AVC_MUNMAP)1458(AVC_MPROTECT)1459(AVC_MSYNC)1460(AVC_MREMOTE)1461(AVC_MLOCK)1462(AVC_MUNLOCK)1463(AVC_MLOCKALL)1464(AVC_MUNLOCKALL)1465(AVC_BRK)1466(AVC_SBRK)1467(AVC_MMAP)1468(AVC_MMAP2)1469(AVC_MMAP_SHARED)1470(AVC_MMAP_PRIVATE)1471(AVC_MMAP_FIXED)1472(AVC_MMAP_ANONYMOUS)1473(AVC_MMAP_PROT_READ)1474(AVC_MMAP_PROT_WRITE)1475(AVC_MMAP_PROT_EXEC)1476(AVC_MMAP_PROT_NONE)1477(AVC_MMAP_MAP_32BIT)1478(AVC_MMAP_MAP_HUGETLB)1479(AVC_MMAP_MAP_NONBLOCK)1480(AVC_MMAP_MAP_POPULATE)1481(AVC_MMAP_MAP_SYNC)1482(AVC_MMAP_MAP_SHARED)1483(AVC_MMAP_MAP_PRIVATE)1484(AVC_MMAP_MAP_FIXED)1485(AVC_MMAP_MAP_ANONYMOUS)1486(AVC_MMAP_MAP_PROT_READ)1487(AVC_MMAP_MAP_PROT_WRITE)1488(AVC_MMAP_MAP_PROT_EXEC)1489(AVC_MMAP_MAP_PROT_NONE)1490(AVC_MMAP_MAP_32BIT)1491(AVC_MMAP_MAP_HUGETLB)1492(AVC_MMAP_MAP_NONBLOCK)1493(AVC_MMAP_MAP_POPULATE)1494(AVC_MMAP_MAP_SYNC)1495(AVC_MMAP_MAP_NORESERVE)1496(AVC_MMAP_MAP_GROWSDOWN)1497(AVC_MMAP_MAP_UNINITIALIZED)1498(AVC_MMAP_MAP_FIXED_NOREPLACE)1499(AVC_MMAP_MAP_POPULATE_READAHEAD)1500(AVC_MMAP_MAP_DONTFORK)1501(AVC_MMAP_MAP_DONTDUMP)1502(AVC_MMAP_MAP_WSS)1503(AVC_MMAP_MAP_FIXED_NOUNDO)1504(AVC_MMAP_MAP_DENY_WRITE)1505(AVC_MMAP_MAP_PERM)1506(AVC_MMAP_MAP_FILE)1507(AVC_MMAP_MAP_ANONYMOUS)1508(AVC_MMAP_MAP_PRIVATE)1509(AVC_MMAP_MAP_SHARED)1510(AVC_MMAP_MAP_FIXED)1511(AVC_MMAP_MAP_PROT_READ)1512(AVC_MMAP_MAP_PROT_WRITE)1513(AVC_MMAP_MAP_PROT_EXEC)1514(AVC_MMAP_MAP_PROT_NONE)1515(AVC_MMAP_MAP_32BIT)1516(AVC_MMAP_MAP_HUGETLB)1517(AVC_MMAP_MAP_NONBLOCK)1518(AVC_MMAP_MAP_POPULATE)1519(AVC_MMAP_MAP_SYNC)1520(AVC_MMAP_MAP_NORESERVE)1521(AVC_MMAP_MAP_GROWSDOWN)1522(AVC_MMAP_MAP_UNINITIALIZED)1523(AVC_MMAP_MAP_FIXED_NOREPLACE)1524(AVC_MMAP_MAP_POPULATE_READAHEAD)1525(AVC_MMAP_MAP_DONTFORK)1526(AVC_MMAP_MAP_DONTDUMP)1527(AVC_MMAP_MAP_WSS)1528(AVC_MMAP_MAP_FIXED_NOUNDO)1529(AVC_MMAP_MAP_DENY_WRITE)1530(AVC_MMAP_MAP_PERM)1531(AVC_MMAP_MAP_FILE)1532(AVC_MMAP_MAP_ANONYMOUS)1533(AVC_MMAP_MAP_PRIVATE)1534(AVC_MMAP_MAP_SHARED)1535(AVC_MMAP_MAP_FIXED)1536(AVC_MMAP_MAP_PROT_READ)1537(AVC_MMAP_MAP_PROT_WRITE)1538(AVC_MMAP_MAP_PROT_EXEC)1539(AVC_MMAP_MAP_PROT_NONE)1540(AVC_MMAP_MAP_32BIT)1541(AVC_MMAP_MAP_HUGETLB)1542(AVC_MMAP_MAP_NONBLOCK)1543(AVC_MMAP_MAP_POPULATE)1544(AVC_MMAP_MAP_SYNC)1545(AVC_MMAP_MAP_NORESERVE)1546(AVC_MMAP_MAP_GROWSDOWN)1547(AVC_MMAP_MAP_UNINITIALIZED)1548(AVC_MMAP_MAP_FIXED_NOREPLACE)1549(AVC_MMAP_MAP_POPULATE_READAHEAD)1550(AVC_MMAP_MAP_DONTFORK)1551(AVC_MMAP_MAP_DONTDUMP)1552(AVC_MMAP_MAP_WSS)1553(AVC_MMAP_MAP_FIXED_NOUNDO)1554(AVC_MMAP_MAP_DENY_WRITE)1555(AVC_MMAP_MAP_PERM)1556(AVC_MMAP_MAP_FILE)1557(AVC_MMAP_MAP_ANONYMOUS)1558(AVC_MMAP_MAP_PRIVATE)1559(AVC_MMAP_MAP_SHARED)1560(AVC_MMAP_MAP_FIXED)1561(AVC_MMAP_MAP_PROT_READ)1562(AVC_MMAP_MAP_PROT_WRITE)1563(AVC_MMAP_MAP_PROT_EXEC)1564(AVC_MMAP_MAP_PROT_NONE)1565(AVC_MMAP_MAP_32BIT)1566(AVC_MMAP_MAP_HUGETLB)1567(AVC_MMAP_MAP_NONBLOCK)1568(AVC_MMAP_MAP_POPULATE)1569(AVC_MMAP_MAP_SYNC)1570(AVC_MMAP_MAP_NORESERVE)1571(AVC_MMAP_MAP_GROWSDOWN)1572(AVC_MMAP_MAP_UNINITIALIZED)1573(AVC_MMAP_MAP_FIXED_NOREPLACE)1574(AVC_MMAP_MAP_POPULATE_READAHEAD)1575(AVC_MMAP_MAP_DONTFORK)1576(AVC_MMAP_MAP_DONTDUMP)1577(AVC_MMAP_MAP_WSS)1578(AVC_MMAP_MAP_FIXED_NOUNDO)1579(AVC_MMAP_MAP_DENY_WRITE)1580(AVC_MMAP_MAP_PERM)1581(AVC_MMAP_MAP_FILE)1582(AVC_MMAP_MAP_ANONYMOUS)1583(AVC_MMAP_MAP_PRIVATE)1584(AVC_MMAP_MAP_SHARED)1585(AVC_MMAP_MAP_FIXED)1586(AVC_MMAP_MAP_PROT_READ)1587(AVC_MMAP_MAP_PROT_WRITE)1588(AVC_MMAP_MAP_PROT_EXEC)1589(AVC_MMAP_MAP_PROT_NONE)1590(AVC_MMAP_MAP_32BIT)1591(AVC_MMAP_MAP_HUGETLB)1592(AVC_MMAP_MAP_NONBLOCK)1593(AVC_MMAP_MAP_POPULATE)1594(AVC_MMAP_MAP_SYNC)1595(AVC_MMAP_MAP_NORESERVE)1596(AVC_MMAP_MAP_GROWSDOWN)1597(AVC_MMAP_MAP_UNINITIALIZED)1598(AVC_MMAP_MAP_FIXED_NOREPLACE)1599(AVC_MMAP_MAP_POPULATE_READAHEAD)1600(AVC_MMAP_MAP_DONTFORK)1601(AVC_MMAP_MAP_DONTDUMP)1602(AVC_MMAP_MAP_WSS)1603(AVC_MMAP_MAP_FIXED_NOUNDO)1604(AVC_MMAP_MAP_DENY_WRITE)1605(AVC_MMAP_MAP_PERM)1606(AVC_MMAP_MAP_FILE)1607(AVC_MMAP_MAP_ANONYMOUS)1608(AVC_MMAP_MAP_PRIVATE)1609(AVC_MMAP_MAP_SHARED)1610(AVC_MMAP_MAP_FIXED)1611(AVC_MMAP_MAP_PROT_READ)1612(AVC_MMAP_MAP_PROT_WRITE)1613(AVC_MMAP_MAP_PROT_EXEC)1614(AVC_MMAP_MAP_PROT_NONE)1615(AVC_MMAP_MAP_32BIT)1616(AVC_MMAP_MAP_HUGETLB)1617(AVC_MMAP_MAP_NONBLOCK)1618(AVC_MMAP_MAP_POPULATE)1619(AVC_MMAP_MAP_