auditctl

auditctl [OPTIONS]

auditctl controls the behavior and manages rules of the Linux Auditing System. It can enable or disable auditing, add or remove audit rules, and display the current audit status and configuration.Rules can monitor specific files and directories for access, track system calls by process attributes, and filter events by user, group, or architecture. The tool communicates directly with the kernel audit subsystem to apply rules immediately, though these runtime rules are lost on reboot unless persisted to the audit rules file.

-s

Display the audit system status

List all currently loaded audit rules

Delete all audit rules

Set max number of outstanding audit buffers (kernel default: 64)

Disable (0), enable (1), or lock (2) audit configuration. Locked config cannot be changed without reboot.

Set failure mode: 0=silent, 1=printk, 2=panic

Set message rate limit in messages/sec (0=none)

Append a rule to the end of a list (e.g., always,exit)

Delete a matching rule from the specified list

Place a watch on a file or directory for changes

Remove a watch from a file or directory

Add a field comparison (path, perm, arch, uid, pid, etc.)

Specify a syscall name or number to audit (use with -a)

Set a filter key on an audit rule for easier log searching

Permissions filter (r=read, w=write, x=execute, a=attribute change)

Read and execute auditctl commands from a file

/etc/audit/audit.rules

Persistent audit rules loaded at boot by auditd. Rules added with auditctl are lost on reboot unless saved here.

Requires root privileges. Rules added with auditctl are not persistent across reboots; use /etc/audit/audit.rules for persistence. Excessive auditing can impact system performance.

auditctl is part of the audit package, providing the Linux Audit Framework for security monitoring and compliance.

ausearch(8), aureport(8), auditd(8)