audit.rules - Linux

Overview

audit.rules is a configuration file used by the Linux Audit Framework to specify rules for generating audit records. It allows system administrators to define conditions based on which specific system events should be audited and logged.

Syntax

/etc/audit/audit.rules

Options/Flags

| Option | Description | Default |
|—|—|—|
| -a [ACTION] | Specify the action to take when a rule matches (e.g., deny, allow, never) | never |
| -F [FIELDS] | Specify the fields to be recorded in the audit record (e.g., action, uid, pid) | all |
| -S [SUCCESS] | Specify the action to take when a rule matches and the operation was successful (e.g., deny, allow, never) | never |
| -k [KEY][=VALUE] | Specify a key-value pair to match against rule conditions (e.g., exe="/bin/bash") | none |

Examples

Example 1: Log all file deletions

-w / -p wa -k delete

Example 2: Allow root to execute all commands without logging

-a never -F arch=b64 -S open -k exe="/usr/bin/sudo" -k uid=0

Example 3: Deny access to /etc/passwd for non-root users

-a deny -F auid=1000 -k path="/etc/passwd" -k perm=ra

Common Issues

• Missing rules: Ensure that audit.rules contains at least one rule to enable audit logging.
• Invalid syntax: Rules must follow the specified syntax. Check for missing or incorrect parameters.
• Insufficient permissions: Ensure that the user running the auditd service has sufficient permissions to read /etc/audit/audit.rules.

Integration

audit.rules interacts with the Linux Audit Framework components:

• auditd: The audit daemon responsible for collecting and logging audit data.
• auditctl: A command-line utility for controlling the audit subsystem.
• ausearch: A tool for searching and analyzing audit records.

Related Commands

• auditd: Control the Linux Audit Framework.
• ausearch: Search and analyze audit records.
• auditctl: Modify audit settings.