auditctl

Show status

$ sudo auditctl -s

$ sudo auditctl -l

$ sudo auditctl -D

$ sudo auditctl -e 1

$ sudo auditctl -a always,exit -F arch=b64 -F path=/path/to/file -F perm=wa

$ sudo auditctl -a always,exit -F arch=b64 -F dir=/path/to/dir/ -F perm=wa

auditctl [OPTIONS]

auditctl controls the behavior and manages rules of the Linux Auditing System. It can enable or disable auditing, add or remove audit rules, and display the current audit status and configuration.
Rules can monitor specific files and directories for access, track system calls by process attributes, and filter events by user, group, or architecture. The tool communicates directly with the kernel audit subsystem to apply rules immediately, though these runtime rules are lost on reboot unless persisted to the audit rules file.

-s

Display the audit system status

List all currently loaded audit rules

Delete all audit rules

Disable (0) or enable (1) auditing

Add a rule to the end of a list (e.g., always,exit)

Watch a file or directory for changes

Add a field comparison (path, perm, arch, etc.)

Permissions filter (r=read, w=write, x=execute, a=attribute change)

/etc/audit/audit.rules

Persistent audit rules loaded at boot by auditd. Rules added with auditctl are lost on reboot unless saved here.

Requires root privileges. Rules added with auditctl are not persistent across reboots; use /etc/audit/audit.rules for persistence. Excessive auditing can impact system performance.

auditctl is part of the audit package, providing the Linux Audit Framework for security monitoring and compliance.

ausearch(8), aureport(8), auditd(8)