How to Set Up Security Monitoring on Linux with auditd
A complete walkthrough configuring the Linux audit daemon to watch specific files, commands, and syscalls — and actually query the resulting logs for something useful.
auditd is the userspace component of the Linux kernel’s audit subsystem — logging security-relevant events (file access, syscalls, command execution) at a level of detail well beyond ordinary system logs, and a natural complement to SELinux enforcement.
Step 1: install and start auditd
sudo dnf install audit # RHEL/Fedora
sudo apt install auditd # Debian/Ubuntu
sudo systemctl enable --now auditd
Step 2: watch a specific sensitive file for changes
sudo auditctl -w /etc/passwd -p wa -k passwd_changes
-p wa watches for write and attribute-change events; -k tags matching log entries with a searchable key, making them easy to filter out from everything else auditd logs.
Step 3: watch a specific syscall system-wide
sudo auditctl -a always,exit -F arch=b64 -S execve -k exec_tracking
This logs every execve (program execution) system call — useful for building a record of what actually ran on the system, not just what was configured to run.
Step 4: make rules persistent across reboots
# /etc/audit/rules.d/audit.rules
-w /etc/passwd -p wa -k passwd_changes
-a always,exit -F arch=b64 -S execve -k exec_tracking
sudo augenrules --load
Rules set with auditctl directly are cleared on reboot — persisting them means adding them to the rules.d configuration and reloading.
Step 5: query logs by the key you assigned
sudo ausearch -k passwd_changes
sudo ausearch -k exec_tracking -ts today
Tagging rules with -k at creation time is what makes this kind of targeted, readable querying possible later — untagged rules still log, but require much more manual log-parsing to filter.
Step 6: generate a summary report
sudo aureport --summary
sudo aureport -x --summary
aureport produces human-readable summaries (failed logins, executable usage, file access patterns) rather than requiring you to read raw audit records directly.
Step 7: watch for a specific user’s activity
sudo auditctl -a always,exit -F arch=b64 -F uid=1001 -S execve -k user_1001_exec
Step 8: check current active rules
sudo auditctl -l
Why tagging rules with -k is worth doing from the very first rule you write
An untagged audit log grows into an enormous, undifferentiated stream very quickly on any active system — the -k key is what turns that stream back into something queryable by intent (“show me passwd_changes,” not “show me everything and let me grep for it”). Establishing this habit from the first rule, rather than retrofitting it later, is what actually makes auditd’s output usable during a real incident investigation instead of just theoretically comprehensive.