Skip to main content

Linux Auditd Logs on Debian

1888 words·
Linux Auditd Logs
Table of Contents

Auditd
#

Overview
#

  • Auditd collects security/audit logs like who did what, exactly how, syscalls, file watches

  • Journald collects operational logs like service activity, messages, errors

Logs are written to /var/log/audit/audit.log and can either be collected by Promtail/Loki or forwarded to a central Auditd server, where tools like auditctl and ausearch can be used for analysis.


Installation
# 

# Install packages
sudo apt install auditd audispd-plugins -y

# Start and enable
sudo systemctl start auditd &&
sudo systemctl enable auditd

  • auditd: Main auditing daemon

  • audispd: Event dispatcher

  • audispd-plugins: Plugins like syslog forwarding


Status
# 

# List status
sudo systemctl status auditd

# Shell output:
● auditd.service - Security Auditing Service
     Loaded: loaded (/lib/systemd/system/auditd.service; enabled; preset: enabled)
     Active: active (running) since Mon 2025-12-01 18:15:26 CET; 6s ago
       Docs: man:auditd(8)
             https://github.com/linux-audit/audit-documentation
    Process: 51767 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
    Process: 51771 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
   Main PID: 51768 (auditd)
      Tasks: 2 (limit: 4608)
     Memory: 740.0K
        CPU: 15ms
     CGroup: /system.slice/auditd.service
             └─51768 /sbin/auditd

Dec 01 18:15:26 debian-05 augenrules[51781]: enabled 1
Dec 01 18:15:26 debian-05 augenrules[51781]: failure 1
Dec 01 18:15:26 debian-05 augenrules[51781]: pid 51768
Dec 01 18:15:26 debian-05 augenrules[51781]: rate_limit 0
Dec 01 18:15:26 debian-05 augenrules[51781]: backlog_limit 8192
Dec 01 18:15:26 debian-05 augenrules[51781]: lost 0
Dec 01 18:15:26 debian-05 augenrules[51781]: backlog 4
Dec 01 18:15:26 debian-05 augenrules[51781]: backlog_wait_time 60000
Dec 01 18:15:26 debian-05 augenrules[51781]: backlog_wait_time_actual 0
Dec 01 18:15:26 debian-05 systemd[1]: Started auditd.service - Security Auditing Service.
  • failure 1: “1” Log a failure message, keep running



Configuration
#

Overview
#

  • /etc/audit/auditd.conf: Main daemon settings (log location, size, etc.)

  • /etc/audit/audit.rules: Old-style rules (still works)

  • /etc/audit/rules.d/*.rules: Directory for new-style rules (recommended)


Main Configuration: auditd.conf
# 

#
# This file controls the configuration of the audit daemon
#

local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = adm
log_format = ENRICHED
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
num_logs = 5
priority_boost = 4
name_format = NONE
##name = mydomain
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
transport = TCP
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no
q_depth = 2000
overflow_action = SYSLOG
max_restarts = 10
plugin_dir = /etc/audit/plugins.d
end_of_event_timeout = 2

  • max_log_file = 8 Max size of logfile in MB

  • num_logs = 5 Number of logfiles for rotation

  • max_log_file_action = ROTATE Action if the size of a logfile is over the limit: IGNORE, SYSLOG, SUSPEND, ROTATE, KEEP_LOGS

  • name_format = NONE Hostname in logfiles: NONE, HOSTNAME, FQD, NUMERIC, USER


Rules
#

Create Rule
# 

sudo vi /etc/audit/rules.d/locker-audit.rules

# Remove any existing rules
-D

# Backlog events the kernel can queue
-b 1024

# Failure mode - print a failure message
-f 1

# credential, user, group and login 
-w /etc/passwd -p wa -k etcpasswd
-w /etc/shadow -p wa -k etcpasswd
-w /etc/group -p wa -k etcgroup
-w /etc/gshadow -p wa -k etcgroup
-w /usr/bin/passwd -p x -k passwd_modification
-w /usr/sbin/groupadd -p x -k group_modification
-w /usr/sbin/groupmod -p x -k group_modification
-w /usr/sbin/addgroup -p x -k group_modification
-w /usr/sbin/useradd -p x -k user_modification
-w /usr/sbin/usermod -p x -k user_modification
-w /usr/sbin/adduser -p x -k user_modification
-w /etc/ssh/sshd_config -k sshd

# sudo
-w /etc/sudoers -p wa -k priv_esc
-w /etc/sudoers.d -p wa -k priv_esc
-w /usr/bin/sudo -p x -k priv_esc
-w /bin/su -p x -k priv_esc

# pam configuration
-w /etc/pam.d/ -p wa -k pam

# failures to access on critical elements
-a exit,always -F arch=b64 -S open -S openat -S open_by_handle_at -F dir=/etc -F success=0 -k unauthed_file_access
-a exit,always -F arch=b64 -S open -S openat -S open_by_handle_at -F dir=/var -F success=0 -k unauthed_file_access

# network configurations
-w /etc/hosts -p wa -k hosts
-w /etc/network/ -p wa -k network

# Do not allow configuration change
-e 2

  • -b 1024 Number of audit backlog events the kernel can queue before dropping them

  • -w /etc/passwd: Any process that touches the file in the specified ways will be logged

  • -p wa: “w” A process write the file; “a” attribute changes

  • -k passwd_changes Adds a key / tag to help you filter the logs

  • -e 2 “0” disable config, “1” enable config, “2” lock config till reboot


Apply Rules
# 

# Apply rule
sudo augenrules --load

# Alternative: Restart the service
sudo systemctl restart auditd

# Verify rule
sudo auditctl -l

# Shell output:
-w /etc/passwd -p wa -k etcpasswd
-w /etc/shadow -p rwxa -k etcpasswd
-w /etc/group -p wa -k etcgroup
...



Auditd Commands
#

Auditd Status
# 

# List status
sudo auditctl -s

# Shell output:
enabled 1
failure 1
pid 273088
rate_limit 0
backlog_limit 1024
lost 0
backlog 0
backlog_wait_time 60000
backlog_wait_time_actual 0
loginuid_immutable 0 unlocked

List Rules
# 

# List current rules
sudo auditctl -l

# Shell output:
-w /etc/passwd -p wa -k etcpasswd
-w /etc/shadow -p wa -k etcpasswd
-w /etc/group -p wa -k etcgroup
-w /etc/gshadow -p wa -k etcgroup
-w /usr/bin/passwd -p x -k passwd_modification
-w /usr/sbin/groupadd -p x -k group_modification
-w /usr/sbin/groupmod -p x -k group_modification
-w /usr/sbin/addgroup -p x -k group_modification
-w /usr/sbin/useradd -p x -k user_modification
-w /usr/sbin/usermod -p x -k user_modification
-w /usr/sbin/adduser -p x -k user_modification
-w /etc/ssh/sshd_config -p rwxa -k sshd
-w /etc/sudoers -p wa -k priv_esc
-w /etc/sudoers.d -p wa -k priv_esc
-w /usr/bin/sudo -p x -k priv_esc
-w /bin/su -p x -k priv_esc
-w /etc/pam.d -p wa -k pam
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F dir=/etc -F success=0 -F key=unauthed_file_access
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F dir=/var -F success=0 -F key=unauthed_file_access
-w /etc/hosts -p wa -k hosts
-w /etc/network -p wa -k network

Delete Rule
# 

# Delete all rules: Temporary
sudo auditctl -D



Reports
#

All Events
# 

# Summary report: All events
sudo aureport

# Shell output:
Summary Report
======================
Range of time in logs: 12/03/25 09:56:50.646 - 12/03/25 09:59:41.056
Selected time for report: 12/03/25 09:56:50 - 12/03/25 09:59:41.056
Number of changes in configuration: 33
Number of changes to accounts, groups, or roles: 0
Number of logins: 1
Number of failed logins: 0
Number of authentications: 1
Number of failed authentications: 0
Number of users: 3
Number of terminals: 6
Number of host names: 2
Number of executables: 6
Number of commands: 7
Number of files: 14
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of integrity events: 0
Number of virt events: 0
Number of keys: 12
Number of process IDs: 19
Number of events: 110

Login and User Reports
# 

# Summary report: Login events
sudo aureport -l

# Shell output:
Login Report
============================================
# date time auid host term exe success event
============================================
1. 12/03/25 09:58:39 1000 10.17.0.1 /dev/pts/0 /usr/sbin/sshd yes 103

# Summary report: User authentication events
sudo aureport -au

# Shell output:
Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 12/03/25 09:58:38 locker 10.17.0.1 ssh /usr/sbin/sshd yes 90

  • yes: The authentication succeeded

  • no: The authentication failed

Print further details of the event no 90:

# List Event details
sudo ausearch --event 90 -i

# Shell output:
node=lockerK1 type=USER_AUTH msg=audit(12/03/25 09:58:38.659:90) : pid=274258 uid=root auid=unset ses=unset subj=unconfined msg='op=PAM:authentication grantors=pam_permit acct=locker exe=/usr/sbin/sshd hostname=10.17.0.1 addr=10.17.0.1 terminal=ssh res=success'

# Summary report: User reports / user activity
sudo aureport -u

# Shell output:
...
190. 12/03/25 10:08:05 1000 /dev/pts/0 ? /usr/bin/sudo 198
191. 12/03/25 10:08:05 1000 /dev/pts/0 ? /usr/bin/sudo 199


# List Event details
sudo ausearch --event 199 -i

# Shell output:
node=lockerK1 type=USER_START msg=audit(12/03/25 10:08:05.377:199) : pid=281481 uid=locker auid=locker ses=156 subj=unconfined msg='op=PAM:session_open grantors=pam_limits,pam_permit,pam_unix acct=root exe=/usr/bin/sudo hostname=? addr=? terminal=/dev/pts/0 res=success'

File Access
# 

# Summary report: File access / moodification events
sudo aureport -f

# Shell output:
File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 12/03/25 09:57:03 /etc/ 44 yes /usr/sbin/auditctl -1 57
2. 12/03/25 09:57:03 /etc/ 44 yes /usr/sbin/auditctl -1 58
3. 12/03/25 09:57:03 /etc/ 44 yes /usr/sbin/auditctl -1 59
4. 12/03/25 09:57:03 /usr/bin/ 44 yes /usr/sbin/auditctl -1 60
5. 12/03/25 09:57:03 /usr/sbin/ 44 yes /usr/sbin/auditctl -1 61
6. 12/03/25 09:57:03 /usr/sbin/ 44 yes /usr/sbin/auditctl -1 62
7. 12/03/25 09:57:03 /usr/sbin/ 44 yes /usr/sbin/auditctl -1 63
8. 12/03/25 09:57:03 /usr/sbin/ 44 yes /usr/sbin/auditctl -1 64
9. 12/03/25 09:57:03 /usr/sbin/ 44 yes /usr/sbin/auditctl -1 65
10. 12/03/25 09:57:03 /usr/sbin/ 44 yes /usr/sbin/auditctl -1 66
11. 12/03/25 09:57:03 /etc/ssh/ 44 yes /usr/sbin/auditctl -1 67
12. 12/03/25 09:57:03 /etc/ 44 yes /usr/sbin/auditctl -1 68
13. 12/03/25 09:57:03 /etc/sudoers.d 44 yes /usr/sbin/auditctl -1 69
14. 12/03/25 09:57:03 /usr/bin/ 44 yes /usr/sbin/auditctl -1 70
15. 12/03/25 09:57:03 /bin/ 44 yes /usr/sbin/auditctl -1 71
16. 12/03/25 09:57:03 /etc/pam.d 44 yes /usr/sbin/auditctl -1 72
17. 12/03/25 09:57:03 /etc 44 yes /usr/sbin/auditctl -1 73
18. 12/03/25 09:57:03 /var 44 yes /usr/sbin/auditctl -1 74
19. 12/03/25 09:57:03 /etc/ 44 yes /usr/sbin/auditctl -1 75
20. 12/03/25 09:57:03 /etc/network 44 yes /usr/sbin/auditctl -1 76
21. 12/03/25 09:57:03 /sbin/ 44 yes /usr/sbin/auditctl -1 77
22. 12/03/25 09:57:03 /sbin/ 44 yes /usr/sbin/auditctl -1 78
23. 12/03/25 09:57:03 /sbin/ 44 yes /usr/sbin/auditctl -1 79
24. 12/03/25 09:57:03 /sbin/ 44 yes /usr/sbin/auditctl -1 80
25. 12/03/25 09:57:03 /bin/ 44 yes /usr/sbin/auditctl -1 81
26. 12/03/25 09:58:38 /bin/systemctl 59 yes /usr/bin/systemctl 1000 99
27. 12/03/25 09:59:01 /usr/bin/sudo 59 yes /usr/bin/sudo 1000 104
28. 12/03/25 09:59:20 /usr/bin/sudo 59 yes /usr/bin/sudo 1000 111
29. 12/03/25 09:59:41 /usr/bin/sudo 59 yes /usr/bin/sudo 1000 118
30. 12/03/25 10:00:08 /usr/bin/sudo 59 yes /usr/bin/sudo 1000 151
31. 12/03/25 10:00:24 /usr/bin/sudo 59 yes /usr/bin/sudo 1000 160
32. 12/03/25 10:00:33 /usr/bin/sudo 59 yes /usr/bin/sudo 1000 167

Key based Reports
# 

# Summary report: All used rule keys
sudo aureport -k -i

# Shell output:
Key Report
===============================================
# date time key success exe auid event
===============================================
1. 12/03/25 09:57:03 etcpasswd yes /usr/sbin/auditctl unset 56
2. 12/03/25 09:57:03 etcpasswd yes /usr/sbin/auditctl unset 57
3. 12/03/25 09:57:03 etcgroup yes /usr/sbin/auditctl unset 58
4. 12/03/25 09:57:03 etcgroup yes /usr/sbin/auditctl unset 59
5. 12/03/25 09:57:03 passwd_modification yes /usr/sbin/auditctl unset 60
6. 12/03/25 09:57:03 group_modification yes /usr/sbin/auditctl unset 61
7. 12/03/25 09:57:03 group_modification yes /usr/sbin/auditctl unset 62
8. 12/03/25 09:57:03 group_modification yes /usr/sbin/auditctl unset 63
9. 12/03/25 09:57:03 user_modification yes /usr/sbin/auditctl unset 64
10. 12/03/25 09:57:03 user_modification yes /usr/sbin/auditctl unset 65
11. 12/03/25 09:57:03 user_modification yes /usr/sbin/auditctl unset 66
12. 12/03/25 09:57:03 sshd yes /usr/sbin/auditctl unset 67
13. 12/03/25 09:57:03 priv_esc yes /usr/sbin/auditctl unset 68
14. 12/03/25 09:57:03 priv_esc yes /usr/sbin/auditctl unset 69
15. 12/03/25 09:57:03 priv_esc yes /usr/sbin/auditctl unset 70
16. 12/03/25 09:57:03 priv_esc yes /usr/sbin/auditctl unset 71
17. 12/03/25 09:57:03 pam yes /usr/sbin/auditctl unset 72
18. 12/03/25 09:57:03 unauthed_file_access yes /usr/sbin/auditctl unset 73
19. 12/03/25 09:57:03 unauthed_file_access yes /usr/sbin/auditctl unset 74
20. 12/03/25 09:57:03 hosts yes /usr/sbin/auditctl unset 75
21. 12/03/25 09:57:03 network yes /usr/sbin/auditctl unset 76
22. 12/03/25 09:57:03 power yes /usr/sbin/auditctl unset 77
...
  • -i Interpret UIDs, GIDs, syscall numbers into readable fields, for exaxmple SYSCALL 107 > SYSCALL reboot

More Reports
# 

# Summary report: Network events
sudo aureport -n

# Summary report: Executable report
sudo aureport -x -i



Filter & Search Events
#

Filter for logs:

# Search events
sudo ausearch

# Search events / Filter logs for tags
sudo ausearch -k passwd_changes
sudo ausearch -k sudoers_changes
sudo ausearch -k user_modification

# Filter with user ID
sudo ausearch -ua 1000

# Search by username
sudo ausearch -ua username