How to Define Audit File System Rules in RHEL/CentOS/Rocky Linux


In this tutorial, we will see how to define audit File System Rules in RHEL/CentOS/Rocky Linux. By this time you must have understood that Audit system operates on a set of rules that define what it is to be captured in the log. There are three types of audit rules - Control Rules, File System Rules and System Call Rules. Till now we have seen how to define Audit Control rules. Now it is time to see about second type of audit rule which is File System Rules. Here we will see how to define Audit file system rules with the help of detailed examples. More on RHEL documentation.

How to Define Audit File System Rules in RHEL/CentOS/Rocky Linux

How to Define Audit File System Rules in RHEL/CentOS/Rocky Linux

Also Read: How to Install Ajenti Control Panel on RHEL / CentOS / Rocky Linux 


All the rules that we write follows below syntax if we are defining it through auditctl utility. You also have the option to define the rules through audit.rules file. In that case, you just need to remove the auditctl from below syntax to add the rules. This will be further clarified as we move on below.


Please note that here I am using root user to run all the below commands. You can use any user with sudo access to run all these commands. For more information Please check Step by Step: How to Add User to Sudoers to provide sudo access to the User.
auditctl -w <file_path> -p <permissions> -k <key_name>

file_path ->  file/directory to be audited

permissions -> r(read), w(write), x(execution), a(attribute change)


key_name -> any custom keyword (optional)


1. File system rules

a) To audit /etc/hosts file for any write access or any attribute changes to it, add below rule. It will get added in the audit log file whenever this rule is executed. We have also added a custom key to make the search easy in audit.log file.


-w /etc/hosts -p wa -k host_file_changed

b) To audit all the files inside /etc/audit/ directory for any write, read access or any attribute changes to it, add below rule:-

-w /etc/audit/ -p war -k audit_dir_changed

c) To audit the execution of /sbin/modprobe command which is responsible for adding/removing kernel modules from the server, add below rule:-

-w /sbin/insmod -p x -k module_updated


2. Working Demonstration of Rules Added

We will add above rules in audit.rules file to make it persistence.

[root@cyberithub ~]# cd /etc/audit/rules.d/
[root@cyberithub rules.d]# vi audit.rules
[root@cyberithub rules.d]# cat audit.rules
## First rule - delete all
## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192
## Set failure mode to syslog
-f 1

-w /etc/hosts -p wa -k host_file_changed
-w /etc/audit/ -p wa -k audit_dir_changed
-w /sbin/insmod -p x -k module_updated

As you see, we have added the rules. Next, restart the auditd service to make the rules persistence.

[root@cyberithub rules.d]# service auditd restart
Stopping logging:                                          [  OK  ]
Redirecting start to /bin/systemctl start auditd.service

Next, we will validate if our rules are working by making changes to the files which have added for auditing. Edit /etc/hosts file to add a dummy IP so that it gets captured in the audit.log file.

[root@cyberithub rules.d]# cat /etc/hosts   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6     Destination

Check the audit log now. If you are not too sure about the path where audit log gets generated, check the auditd.conf file where default log path is mentioned.

[root@cyberithub audit]# pwd
[root@cyberithub audit]# ll
total 20
-rw-r-----. 1 root root  805 Aug  8  2019 auditd.conf
-rw-r-----. 1 root root  203 Jan 24 21:00 audit.rules
-rw-r-----. 1 root root   81 Jan 24 21:00 audit.rules.prev
-rw-r-----. 1 root root  127 Aug  8  2019 audit-stop.rules
drwxr-x---. 2 root root 4096 Jan 24 20:54 rules.d
[root@cyberithub audit]# grep log auditd.conf
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = root
log_format = RAW
max_log_file = 8
num_logs = 5
max_log_file_action = ROTATE

We need to grep the custom key that we have added in the rule to ease the search in the generated audit log file.

[root@cyberithub audit]# grep -ri "host_file_changed" /var/log/audit/audit.log
type=CONFIG_CHANGE msg=audit(1643038201.729:81615): auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 op=add_rule key="host_file_changed" list=4 res=1
type=CONFIG_CHANGE msg=audit(1643038788.852:82013): auid=1001 ses=46 op=updated_rules path="/etc/hosts" key="host_file_changed" list=4 res=1
type=SYSCALL msg=audit(1643038788.852:82014): arch=c000003e syscall=82 success=yes exit=0 a0=2523740 a1=253d520 a2=fffffffffffffe80 a3=7ffe53f6e520 items=4 ppid=16513 pid=19742 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=46 comm="vi" exe="/usr/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="host_file_changed"

Similarly, any number of rules can be added for auditing by audit system based on our requirement.


3. Additional Information

For the beginners, it might get confusing when it comes to adding the rules in audit rule file. Let’s look at the audit file tree first.

[root@cyberithub ~]# cd /etc/audit/

When we list the files/folder inside audit directory, we will notice an audit.rules file.

[root@cyberithub audit]# ll
total 8
-rw-r-----. 1 root root  122 Jan 23 10:37 audit.rules
drwxr-x---. 2 root root 4096 Jan 23 10:45 rules.d

When we further switch to rules.d directory, there is a file with same name audit.rules. So the question is where do we exactly add the audit rules ?

Well the answer is, we add the rules in audit.rules file which is inside rules.d directory. Once we add the rule and reboot the server or restart the auditd service, audit.rules file inside audit directory will automatically gets generated (if not already present) and same rules will be replicated here.

[root@cyberithub audit]# cd rules.d/
[root@cyberithub rules.d]# ll
total 4
-rw-------. 1 root root 203 Jan 23 10:35 audit.rules

Leave a Comment