auditctl Command
Advanced Firewall & Security man(8)Control the Linux audit system
📅 Updated: Mar 16, 2026
SYNTAX
auditctl [OPTIONS]
What Does auditctl Do?
The auditctl command is the primary administration tool for the Linux Audit System (auditd). It configures audit rules that track system calls, file access, user actions, and security-relevant events. The audit system is essential for security compliance, forensic investigation, and intrusion detection.
The Linux Audit System operates at the kernel level, recording events before they reach user space. This makes it tamper-resistant — even if an attacker compromises a process, the audit trail is preserved. auditctl manages three types of rules: file/directory watches (track access to sensitive files), system call rules (monitor specific syscalls), and control rules (configure audit system behavior).
Security frameworks like PCI-DSS, HIPAA, SOX, and CIS Benchmarks require system auditing. auditctl with auditd provides the infrastructure to meet these compliance requirements. Related tools include ausearch (search audit logs), aureport (generate reports), and auditd (the audit daemon).
The Linux Audit System operates at the kernel level, recording events before they reach user space. This makes it tamper-resistant — even if an attacker compromises a process, the audit trail is preserved. auditctl manages three types of rules: file/directory watches (track access to sensitive files), system call rules (monitor specific syscalls), and control rules (configure audit system behavior).
Security frameworks like PCI-DSS, HIPAA, SOX, and CIS Benchmarks require system auditing. auditctl with auditd provides the infrastructure to meet these compliance requirements. Related tools include ausearch (search audit logs), aureport (generate reports), and auditd (the audit daemon).
Options & Flags
| Option | Description | Example |
|---|---|---|
| -w PATH | Watch a file or directory for access | sudo auditctl -w /etc/passwd -p wa -k passwd_changes |
| -p PERMISSIONS | Set permissions to watch: r(ead), w(rite), x(ecute), a(ttribute) | sudo auditctl -w /etc/shadow -p rwa -k shadow_access |
| -k KEY | Set a filter key for searching audit logs | sudo auditctl -w /etc/sudoers -p wa -k sudoers_edit |
| -a FILTER,ACTION | Add a syscall audit rule | sudo auditctl -a always,exit -F arch=b64 -S execve -k commands |
| -l | List all current audit rules | sudo auditctl -l |
| -D | Delete all audit rules | sudo auditctl -D |
| -d FILTER,ACTION | Delete a specific rule | sudo auditctl -d always,exit -S execve |
| -s | Show audit system status | sudo auditctl -s |
| -e 0|1|2 | Enable/disable audit (2=immutable) | sudo auditctl -e 1 |
Practical Examples
#1 Watch password file changes
Track writes and attribute changes to /etc/passwd. Search with: ausearch -k passwd_changes
$ sudo auditctl -w /etc/passwd -p wa -k passwd_changes#2 Monitor SSH config
Track any modifications to SSH server configuration. Critical for security auditing.
$ sudo auditctl -w /etc/ssh/sshd_config -p wa -k sshd_config#3 Audit all command executions
Log every command executed on the system. Generates significant volume — use on sensitive servers only.
$ sudo auditctl -a always,exit -F arch=b64 -S execve -k all_commands#4 Monitor user creation/deletion
Track when users are created or deleted. Essential for compliance.
$ sudo auditctl -a always,exit -F arch=b64 -S execve -F path=/usr/sbin/useradd -k user_management && sudo auditctl -a always,exit -F arch=b64 -S execve -F path=/usr/sbin/userdel -k user_management#5 Watch sensitive directories
Monitor changes to cron jobs and sudo rules — common targets for privilege escalation.
$ sudo auditctl -w /etc/cron.d/ -p wa -k cron_changes && sudo auditctl -w /etc/sudoers.d/ -p wa -k sudo_changes#6 Search audit logs
Search audit logs by key name for today events. Shows who made the change, when, and from where.
$ sudo ausearch -k passwd_changes --start today#7 Make rules persistent
Export current rules to a file in rules.d. Rules in this directory are loaded automatically by auditd on startup.
$ sudo auditctl -l > /etc/audit/rules.d/custom.rules#8 List current rules
Display all active audit rules.
$ sudo auditctl -lTips & Best Practices
Performance impact: Auditing every execve call generates massive log volume. Be selective — watch specific files and critical syscalls. Monitor /var/log/audit/ disk usage.
Use keys for organization: Always set -k (key) on rules. This makes searching with ausearch -k KEY fast and organized. Group related rules with the same key.
Persistent rules: auditctl rules are lost on reboot. Save to /etc/audit/rules.d/*.rules for persistence. Run augenrules --load to reload without restart.
Use aureport for summaries: aureport provides summary reports: aureport --auth (authentication), aureport --login (logins), aureport --file (file access). Great for daily security reviews.
Frequently Asked Questions
How do I track who changed a file in Linux?
Set a watch: sudo auditctl -w /path/to/file -p wa -k mykey. Then check: sudo ausearch -k mykey — shows the user, process, and timestamp of every modification.
How do I make audit rules persistent?
Write rules to /etc/audit/rules.d/custom.rules in the same format as auditctl commands (replace auditctl with -w or -a). Run augenrules --load to apply.
What is the difference between auditctl and auditd?
auditd is the daemon that collects and writes audit logs. auditctl is the admin tool to configure audit rules. ausearch and aureport are used to query the logs.
How do I monitor all logins?
Run: ausearch --message USER_LOGIN --start today or aureport --login --start today. The audit system automatically tracks login events via PAM.
Related Commands
More Firewall & Security Commands
Master Linux with Professional eBooks
Curated IT eBooks covering Linux, DevOps, Cloud, and more
Browse Books →