Skip to content
daniel@cosenza:~/blog
LinuxHow-To July 9, 2026 2 min read

How to Set Up Security Monitoring on Linux with auditd

A complete walkthrough configuring the Linux audit daemon to watch specific files, commands, and syscalls — and actually query the resulting logs for something useful.

auditd is the userspace component of the Linux kernel’s audit subsystem — logging security-relevant events (file access, syscalls, command execution) at a level of detail well beyond ordinary system logs, and a natural complement to SELinux enforcement.

Step 1: install and start auditd

sudo dnf install audit    # RHEL/Fedora
sudo apt install auditd   # Debian/Ubuntu
sudo systemctl enable --now auditd

Step 2: watch a specific sensitive file for changes

sudo auditctl -w /etc/passwd -p wa -k passwd_changes

-p wa watches for write and attribute-change events; -k tags matching log entries with a searchable key, making them easy to filter out from everything else auditd logs.

Step 3: watch a specific syscall system-wide

sudo auditctl -a always,exit -F arch=b64 -S execve -k exec_tracking

This logs every execve (program execution) system call — useful for building a record of what actually ran on the system, not just what was configured to run.

Step 4: make rules persistent across reboots

# /etc/audit/rules.d/audit.rules
-w /etc/passwd -p wa -k passwd_changes
-a always,exit -F arch=b64 -S execve -k exec_tracking
sudo augenrules --load

Rules set with auditctl directly are cleared on reboot — persisting them means adding them to the rules.d configuration and reloading.

Step 5: query logs by the key you assigned

sudo ausearch -k passwd_changes
sudo ausearch -k exec_tracking -ts today

Tagging rules with -k at creation time is what makes this kind of targeted, readable querying possible later — untagged rules still log, but require much more manual log-parsing to filter.

Step 6: generate a summary report

sudo aureport --summary
sudo aureport -x --summary

aureport produces human-readable summaries (failed logins, executable usage, file access patterns) rather than requiring you to read raw audit records directly.

Step 7: watch for a specific user’s activity

sudo auditctl -a always,exit -F arch=b64 -F uid=1001 -S execve -k user_1001_exec

Step 8: check current active rules

sudo auditctl -l

Why tagging rules with -k is worth doing from the very first rule you write

An untagged audit log grows into an enormous, undifferentiated stream very quickly on any active system — the -k key is what turns that stream back into something queryable by intent (“show me passwd_changes,” not “show me everything and let me grep for it”). Establishing this habit from the first rule, rather than retrofitting it later, is what actually makes auditd’s output usable during a real incident investigation instead of just theoretically comprehensive.