auditctl

Display the [s]tatus of the audit system

$ sudo auditctl -s

$ sudo auditctl -l

$ sudo auditctl -D

$ sudo auditctl -e [1|0]

$ sudo auditctl -a always,exit -F arch=b64 -F path=/[path/to/file] -F perm=wa

$ sudo auditctl -a always,exit -F arch=b64 -F dir=/[path/to/directory]/ -F perm=wa

$ auditctl -h

auditctl [options] [rules]

Common Invocation Examples:
auditctl -l
auditctl -D
auditctl -w /etc/passwd -p rwxa -k passwd_changes
auditctl -a always,exit -S open -F success=0 -F path=/var/log/messages -k failed_log_access
auditctl -e 1

-l
    List all currently loaded audit rules.

-D
    Delete all current audit rules.

-A action,scope filter_fields
    Add rule to the end of the rule list. action can be 'always' or 'never', scope can be 'exit', 'user', 'task', or 'entry'. filter_fields specify conditions like system calls, uids, paths, etc.

-a action,scope filter_fields
    Equivalent to -A, used for adding rules, often for backwards compatibility or preference.

-w path
    Add a file/directory watch rule. Monitors events affecting the specified path.

-p permissions
    Used with -w to specify permissions to watch (r=read, w=write, x=execute, a=attribute change). For example, rwxa.

-k key_name
    Assign a 'key' to a rule. This key appears in audit logs, making it easier to identify related events or groups of events.

-S syscall_name | syscall_number
    Specify a system call to audit. Can be a name (e.g., open, execve) or a numerical identifier.

-F field=value
    Add a field filter to a rule. Examples: 'uid=0', 'arch=b64', 'exit=EPERM'.

-e state
    Enable or disable auditing. 0=disable, 1=enable, 2=enable (and lock configuration to prevent further changes).

-s
    Report the current status of the audit system (enabled, backlog limit, queue size, etc.).

-b backlog_limit
    Set the maximum number of pending audit events in the kernel's queue before messages are dropped.

-m max_messages
    Set the maximum number of messages that the kernel will send per second to the audit daemon.

-r rate_limit
    Set the maximum rate of messages (in messages/second) that the kernel will send to the audit daemon.

-R rules_file
    Read rules from the specified rules_file and load them into the kernel.

-i
    Ignore errors when processing rules from a file or command line.

-v
    Produce verbose output during rule processing or status reporting.

auditctl is the primary command-line utility for interacting with the Linux Audit subsystem in the kernel. It allows system administrators to dynamically load, delete, list, and modify audit rules. These rules dictate which system events (like file access, system calls, or changes to system configurations) are monitored and logged by the auditd daemon.
auditctl is an essential tool for establishing a robust security posture, enabling compliance with various regulatory standards (e.g., PCI-DSS, HIPAA, SOX), and providing crucial data for forensic analysis. By defining specific audit criteria, administrators can ensure that suspicious activities, policy violations, or critical system state changes are captured, providing an immutable log of events for security investigations and accountability.
Rules added with auditctl are volatile and reside only in kernel memory; they are lost upon system reboot unless persistently configured via audit.rules files.

Audit rules loaded via auditctl are volatile and will be lost upon system reboot. For persistent rules, they must be saved in configuration files, typically located in /etc/audit/rules.d/. The order of rules is critical as the kernel processes them sequentially, and the first matching rule is applied. Excessive or poorly defined rules can significantly impact system performance due to increased overhead. Running auditctl requires root privileges (CAP_AUDIT_CONTROL capability).

Rules added with auditctl directly modify the kernel's active rule set, which is stored in volatile memory. To ensure your audit rules are reloaded automatically after a system reboot, they must be saved to a persistent configuration file. The standard location for these files is /etc/audit/rules.d/ (e.g., /etc/audit/rules.d/audit.rules). The auditd service reads and loads these files during startup.

Audit rules are processed by the kernel in the order they are loaded. Once an event matches a rule, processing for that event typically stops. Therefore, the placement of rules matters: more specific rules should often precede more general ones. This sequential processing can influence which events are logged and how they are handled, making careful rule ordering crucial for effective auditing.

The Linux Audit Framework, of which auditctl is a part, was developed to provide a comprehensive and robust auditing system for Linux. It was primarily integrated into the Linux kernel around the 2.6 series, significantly enhancing system security and accountability capabilities. auditctl provides the essential command-line interface for administrators to manage and interact with this kernel-level auditing functionality dynamically.

auditd(8), ausearch(8), aureport(8), audispd(8), audit.rules(7)