auditctl
Control and manage Linux audit system rules.
TLDR
Show status
SYNOPSIS
auditctl [OPTIONS]
DESCRIPTION
auditctl controls the behavior and manages rules of the Linux Auditing System. It can enable or disable auditing, add or remove audit rules, and display the current audit status and configuration.
Rules can monitor specific files and directories for access, track system calls by process attributes, and filter events by user, group, or architecture. The tool communicates directly with the kernel audit subsystem to apply rules immediately, though these runtime rules are lost on reboot unless persisted to the audit rules file.
PARAMETERS
-s
Display the audit system status-l
List all currently loaded audit rules-D
Delete all audit rules-e 0|1
Disable (0) or enable (1) auditing-a list,action
Add a rule to the end of a list (e.g., always,exit)-w path
Watch a file or directory for changes-F field=value
Add a field comparison (path, perm, arch, etc.)-p permissions
Permissions filter (r=read, w=write, x=execute, a=attribute change)
CONFIGURATION
/etc/audit/audit.rules
Persistent audit rules loaded at boot by auditd. Rules added with auditctl are lost on reboot unless saved here.
CAVEATS
Requires root privileges. Rules added with auditctl are not persistent across reboots; use /etc/audit/audit.rules for persistence. Excessive auditing can impact system performance.
HISTORY
auditctl is part of the audit package, providing the Linux Audit Framework for security monitoring and compliance.
