7.5. Defining Audit Rules


The Audit system operates on a set of rules that define what is to be captured in the log files. There are three types of Audit rules that can be specified:
  • Control rules — allow the Audit system's behavior and some of its configuration to be modified.
  • File system rules — also known as file watches, allow the auditing of access to a particular file or a directory.
  • System call rules — allow logging of system calls that any specified program makes.
Audit rules can be specified on the command line with the auditctl utility (note that these rules are not persistent across reboots), or written in the /etc/audit/audit.rules file. The following two sections summarize both approaches to defining Audit rules.

7.5.1. Defining Audit Rules with the auditctl Utility

Note

All commands which interact with the Audit service and the Audit log files require root privileges. Ensure you execute these commands as the root user.
The auditctl command allows you to control the basic functionality of the Audit system and to define rules that decide which Audit events are logged.

Defining Control Rules

The following are some of the control rules that allow you to modify the behavior of the Audit system:
-b
sets the maximum amount of existing Audit buffers in the kernel, for example:
~]# auditctl -b 8192
Copy to Clipboard Toggle word wrap
-f
sets the action that is performed when a critical error is detected, for example:
~]# auditctl -f 2
Copy to Clipboard Toggle word wrap
The above configuration triggers a kernel panic in case of a critical error.
-e
enables and disables the Audit system or locks its configuration, for example:
~]# auditctl -e 2
Copy to Clipboard Toggle word wrap
The above command locks the Audit configuration.
-r
sets the rate of generated messages per second, for example:
~]# auditctl -r 0
Copy to Clipboard Toggle word wrap
The above configuration sets no rate limit on generated messages.
-s
reports the status of the Audit system, for example:
~]# auditctl -s
AUDIT_STATUS: enabled=1 flag=2 pid=0 rate_limit=0 backlog_limit=8192 lost=259 backlog=0
Copy to Clipboard Toggle word wrap
-l
lists all currently loaded Audit rules, for example:
~]# auditctl -l
LIST_RULES: exit,always watch=/etc/localtime perm=wa key=time-change
LIST_RULES: exit,always watch=/etc/group perm=wa key=identity
LIST_RULES: exit,always watch=/etc/passwd perm=wa key=identity
LIST_RULES: exit,always watch=/etc/gshadow perm=wa key=identity
⋮
Copy to Clipboard Toggle word wrap
-D
deletes all currently loaded Audit rules, for example:
~]# auditctl -D
No rules
Copy to Clipboard Toggle word wrap

Defining File System Rules

To define a file system rule, use the following syntax:
auditctl -w path_to_file -p permissions -k key_name
Copy to Clipboard Toggle word wrap
where:
  • path_to_file is the file or directory that is audited.
  • permissions are the permissions that are logged:
    • r — read access to a file or a directory.
    • w — write access to a file or a directory.
    • x — execute access to a file or a directory.
    • a — change in the file's or directory's attribute.
  • key_name is an optional string that helps you identify which rule or a set of rules generated a particular log entry.

Example 7.1. File System Rules

To define a rule that logs all write access to, and every attribute change of, the /etc/passwd file, execute the following command:
~]# auditctl -w /etc/passwd -p wa -k passwd_changes
Copy to Clipboard Toggle word wrap
Note that the string following the -k option is arbitrary.
To define a rule that logs all write access to, and every attribute change of, all the files in the /etc/selinux/ directory, execute the following command:
~]# auditctl -w /etc/selinux/ -p wa -k selinux_changes
Copy to Clipboard Toggle word wrap
To define a rule that logs the execution of the /sbin/insmod command, which inserts a module into the Linux kernel, execute the following command:
~]# auditctl -w /sbin/insmod -p x -k module_insertion
Copy to Clipboard Toggle word wrap

Defining System Call Rules

To define a system call rule, use the following syntax:
auditctl -a action,filter -S system_call -F field=value -k key_name
Copy to Clipboard Toggle word wrap
where:
  • action and filter specify when a certain event is logged. action can be either always or never. filter specifies which kernel rule-matching filter is applied to the event. The rule-matching filter can be one of the following: task, exit, user, and exclude. For more information about these filters, see the beginning of Section 7.1, “Audit System Architecture”.
  • system_call specifies the system call by its name. A list of all system calls can be found in the /usr/include/asm/unistd_64.h file. Several system calls can be grouped into one rule, each specified after the -S option.
  • field=value specifies additional options that furthermore modify the rule to match events based on a specified architecture, group ID, process ID, and others. For a full listing of all available field types and their values, see the auditctl(8) man page.
  • key_name is an optional string that helps you identify which rule or a set of rules generated a particular log entry.

Example 7.2. System Call Rules

To define a rule that creates a log entry every time the adjtimex or settimeofday system calls are used by a program, and the system uses the 64-bit architecture, execute the following command:
~]# auditctl -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time_change
Copy to Clipboard Toggle word wrap
To define a rule that creates a log entry every time a file is deleted or renamed by a system user whose ID is 500 or larger (the -F auid!=4294967295 option is used to exclude users whose login UID is not set), execute the following command:
~]# auditctl -a always,exit -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
Copy to Clipboard Toggle word wrap
It is also possible to define a file system rule using the system call rule syntax. The following command creates a rule for system calls that is analogous to the -w /etc/shadow -p wa file system rule:
~]# auditctl -a always,exit -F path=/etc/shadow -F perm=wa
Copy to Clipboard Toggle word wrap
Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat