
auditctl Command in Linux
auditctl is a command-line tool that is used in Linux to manage the auditing system. With this command, you can track and log various activities on your system, such as file access, modifications, and user actions.
Using auditctl, you can set up rules to monitor specific files or directories, check the current rules and view the audit logs. If you want to enhance your system security and understand what changes are happening on your system, you will need auditctl.
Table of Contents
Here is a comprehensive guide to the options available with the auditctl command in linux −
Syntax of auditctl Command
The basic syntax to use auditctl command in Linux is given below −
auditctl [options]
Where,
- auditctl is used to invoke the command.
- options are additional flags you can utilize to modify the commands behavior.
auditctl Command Options
The auditctl command offers a load of options that can be used with the command and change its behavior according to specific needs. Here, we are discussing a few options, which are described in the table provided below −
Option | Description |
---|---|
-a <list> <action> | Adds a rule to a specific list (e.g., exit, task). |
-A <list> <action> | Appends a rule to a specific list. |
-b <back_log> | Sets the maximum number of outstanding audit buffers. |
-c | Clears the audit log. |
-C f=f | Compares collected fields once available. |
-d <list> <action> | Deletes a rule from a specific list. |
-D | Deletes all existing audit rules. |
-e [0..2] | Enables or disables auditing. 0 disables, 1 enables, and 2 locks the audit configuration. |
-f [0..2] | Sets the failure mode. 0 is silent, 1 prints a message, and 2 causes a panic. |
-i | Ignores errors when reading rules from a file. |
-k <key> | Sets a filter key on an audit rule. The key is an arbitrary string that can be used to identify audit records. |
-l | Lists all current audit rules. |
-r <rate> | Sets the rate limit for audit messages. |
-R <file> | Reads audit rules from a specified file. |
-s | Displays the status of the audit system. |
-S <syscall> | Adds a rule to audit a specific system call. |
-t | Sets the audit systems clock to the current time. |
-w <path> | Adds a watch on a file or directory. |
-W <path> | Removes a watch on a file or directory. |
Examples of auditctl Command in Linux
Lets discuss a few examples of auditctl commands in Linux systems. This will help you in learning how to get started with the command.
- Monitoring a File for Changes
- Monitoring a Directory for Executions
- Listing All Audit Rules
- Checking the Status of the Audit System
- Deleting All Audit Rules
Monitoring a File for Changes
One of the basic uses of auditctl is to monitor a file for changes, which is useful for tracking critical system files. To set up a watch on a file, you can use the -w option followed by the file path, and the -p option for permissions. For example −
sudo auditctl -w /etc/passwd -p wa -k passwd_changes
The above command will monitor the /etc/passwd file for write (w) and attribute changes (a), and assign the key passwd_changes for easy identification in the logs.

Monitoring a Directory for Executions
You can also monitor a directory for file executions using this command that is helpful for tracking executable files in critical directories. To set up a watch on a directory, you can use the -w option with the directory path, and the -p option for permissions. For example −
sudo auditctl -w /usr/bin -p x -k bin_exec
This command will monitor the /usr/bin directory for executions (x) and assign the key bin_exec for easy identification in the logs.

Listing All Audit Rules
You can list all the currently loaded audit rules to review what is being monitored so that it will help you in auditing and troubleshooting. You can do this by using the -l option with the auditctl command. For example −
sudo auditctl -l
This command will display all the audit rules currently loaded in the system.

Checking the Status of the Audit System
To check the status of the audit system by seeing the number of rules loaded and the current audit backlog, you can use the -s option with the command. For example −
sudo auditctl -s
Once you run the command, it will display the status of the audit system, including the number of rules loaded and the current audit backlog.

Deleting All Audit Rules
In case you want to delete all audit rules and reset the audit configuration, you can simply use the -D option with the command. For example −
sudo auditctl -D
The above command will remove all the audit rules currently loaded in the system.

Thats how you can use the auditctl command in Linux systems.
Conclusion
The auditctl is an essential command-line tool for managing the auditing system on Linux. With the help of this command, you can track and log various system activities.
In this tutorial, we covered the syntax, options and practical examples of using auditctl. These are crucial for enhancing system security and monitoring changes. By mastering this command, you can ensure a more secure and well-audited Linux environment.