read audit logs in linux

How to Read Audit Logs in Linux

Team Fedingo

Often system administrators need to find out who changed a file, or determine the user who performed certain read/write operations. You can use Linux audit logs for this purpose. Since Linux kernel 2.6.x onwards, there is auditd daemon that writes audit records to the disk. During startup the audit rules in file /etc/audit.rules are read by the daemon. You can always open this file and change the configuration as per your requirement. But the default settings are enough to work for most system administrators.


How to Read Audit Logs in Linux

There are 3 commonly used utilities for reading audit logs in Linux.

  1. aureport – produces summary reports of audit system logs
  2. ausearch – command to query system audit logs using different search criteria, for getting information about various events.
  3. auditctl – helps control kernel audit system. It allows you to get status, add or delete rules into kernel audit system. You can also use it to set a watch on a file.

Here is the command to install audit package.

# yum install audit

or
# up2date install audit

Enable auditd to autostart on boot.

# ntsysv

OR
# chkconfig auditd on

Start auditd service.

# /etc/init.d/auditd start

Let us say you want to track changes being made to /etc/passwd file. Here is the command to set watch on this file.

# auditctl -w /etc/passwd -p war -k password-file

In the above command,

  • -w /etc/passwd – create watch object for file with given path
  • -p war : Set permissions filter for a file system watch. It can be r for read, w for write, x for execute, a for append.
  • -k password-file : Set a filter key on a /etc/passwd file (watch). It is like an identifier for records related to /etc/passwd file in the audit logs. You can use this phrase to easily search records about /etc/passwd file in audit logs.

Here is a command to add watch to /etc/shadow with filterkey shadow-file that captures records for read, write, executes and appends.

# auditctl -w /etc/shadow -k shadow-file -p rwxa

If you want to search audit file to find out who changed or accessed /etc/passwd file, use the ausearch command.

# ausearch -f /etc/passwd

OR
# ausearch -f /etc/passwd | less

OR
# ausearch -f /etc/passwd -i | less

In the above command,

  • -f /etc/passwd : Only search for this file
  • -i : Interpret numeric entities into text

Let us look at some commonly used examples.

Here is the command to search for records on a specific date, such as, 3/12/22. You can also use keywords such as today, to get today’s records.

# ausearch -ts today -k password-file
# ausearch -ts 3/12/07 -k password-file

Here is the command to search for records by the command used (e.g. rm) to access the /etc/passwd file.

# ausearch -ts today -k password-file -x rm
# ausearch -ts 3/12/07 -k password-file -x rm

You can also search for an event by the UID of user who had accessed the file.

# ausearch -ts today -k password-file -x rm -ui 506
# ausearch -k password-file -ui 506

In this article, we have learnt how to read audit logs in Linux. Linux audit tool provides useful utilities such as ausearch, auditctl, and aureport to read audit logs in Linux.

Also read:

How to Check User Login Details in Linux
How to Delete Multiple Directories in Linux
How to Force CP Command to Overwrite Without Confirmation
How to Force Delete Directory in Linux
How to Upload File Asynchronously in JavaScript

Related posts:

How to Password Protect Folders in Linux
How to Find & Replace String in VI Editor
How to Install or Upgrade Software from Unsupported Release in Ubuntu
Top SFTP Command Examples
How to Read File Line by Line in Linux Shell Script
How to Convert JSON to Dict in Python
How to Change FTP Port in Linux
How to Install GoAccess Log Analyzer in Ubuntu

Leave a Reply

Your email address will not be published. Required fields are marked *