AuditD - Basic Commands for the standard Auditing Linux Service Daemon
In this snippet we’re going to cover some practical examples of using auditd tools like ausearch, aureport, and related commands, with a focus on isolating keys, extracting fields, time-based queries, and other useful scenarios:
ausearch Examples
Search by Time Range
# Search logs from the last 24 hours
ausearch --start "2023-10-01 00:00:00" --end "2023-10-02 00:00:00"
# Search logs from the last hour using relative time
ausearch --start "now-1hour" --end "now"
Isolate Specific Fields
# Extract only the "user" and "action" fields
ausearch --format="user,action" --start "now-1day"
# Extract specific fields using --list to see available keys
ausearch --list
Filter by User or Action
# Find all events for user "alice"
ausearch --user "alice"
# Find events with action "open"
ausearch --action "open"
Combine with grep or awk
# Search for "chmod" and extract the "user" field
ausearch --raw | grep "chmod" | awk '{print $2}'
# Search for events with "file" in the message
ausearch | grep "file"
Raw JSON Output
# Get raw JSON data for events
ausearch --raw
# Parse JSON with `jq` (requires jq installed)
ausearch --raw | jq '.[] | .user, .action'
aureport Examples
Generate Reports
# Report on users with audit events
aureport --user
# Report on hosts with audit events
aureport --host
# Report on event types (e.g., file access)
aureport --event
Filter by Time Range
# Report events from the last 7 days
aureport --start "2023-10-01" --end "2023-10-08"
# Report events from the last hour
aureport --start "now-1hour" --end "now"
Extract Specific Fields
# Output only the "host" and "user" fields
aureport --format="host,user"
# Output only the "event" field
aureport --format="event"
Combine with grep
# Find events related to "chmod" in the report
aureport | grep "chmod"
Time-Based Queries with ausearch
# Find events between specific timestamps (YYYY-MM-DD HH:MM:SS)
ausearch --start "2023-10-01 12:00:00" --end "2023-10-01 13:00:00"
# Find events from the last 5 minutes
ausearch --start "now-5min" --end "now"
Other Useful Commands
List All Audit Rules
auditctl -l
Check Audit Daemon Status
systemctl status auditd
Monitor Live Audit Events
ausearch --live
Export Logs to a File
ausearch --start "now-1day" > audit_log.txt
Delete Old Logs
# Delete logs older than 7 days
ausearch --start "2023-09-25" --end "now" --delete
Advanced Tips
- Use
--rawwithjqfor structured JSON parsing:ausearch --raw | jq '.[] | .user, .action' - Combine with
audit2allowto generate SELinux policies:ausearch -k my_rule | audit2allow - Use
auditctlto Add Rules:auditctl -w /etc/passwd -p rwxa
Example: Find All File Access Events for a Specific User
ausearch --user "alice" --start "now-1day" --format="host,user,action,msg"
This outputs:
host=example.com user=alice action=open msg=...
Example: Extract All chmod Actions in the Last Hour
ausearch --start "now-1hour" --format="user,action,msg" | grep "chmod"
Example: Generate a CSV Report of All Events*
aureport --format="host,user,action,timestamp" > audit_report.csv
The audit subsystem in Linux (via auditd) logs detailed events in a structured format. Each audit record contains a variety of fields that can be queried using tools like ausearch or aureport. Below is a comprehensive list of key fields available in a single audit record, along with explanations and examples of how to use them.
Core Fields in an Audit Record
These are the primary fields available in a single audit record (from ausearch --raw or aureport):
| Field | Description | Example |
|---|---|---|
| audit_serial | Unique identifier for the audit record. | 123456 |
| time | Timestamp of the event (in seconds since epoch). | 1696166400 |
| user | User ID (UID) of the user associated with the event. | 1001 |
| auid | Authentication User ID (AUID) for the user. | 1001 |
| session | Session ID (e.g., for login sessions). | 1234 |
| host | Hostname of the system. | example.com |
| pid | Process ID (PID) of the process that triggered the event. | 1234 |
| comm | Command name (e.g., bash, ls). |
bash |
| exe | Full path to the executable (e.g., /bin/bash). |
/bin/bash |
| args | Command-line arguments (if applicable). | "ls -l /tmp" |
| action | Type of action (e.g., open, read, write). |
open |
| msg | Detailed message (nested structure with additional fields). | "msg": {"file": {"path": "/etc/passwd", ...}} |
Nested Fields in the msg Object
The msg field contains nested data about the event. Common nested fields include:
| Nested Field | Description | Example |
|---|---|---|
| file | File-related details (e.g., path, inode, type). | "file": {"path": "/etc/passwd", "inode": "12345", "type": "file"} |
| arch | Architecture (e.g., x86_64). |
"x86_64" |
| res | Result of the operation (e.g., success, failure). |
"success" |
| pid | Process ID (same as pid field). |
1234 |
| auid | Authentication User ID (same as auid field). |
1001 |
| exe | Full path to the executable (same as exe field). |
/bin/bash |
| comm | Command name (same as comm field). |
bash |
| hostname | Hostname (same as host field). |
example.com |
Special Fields for Specific Events
Some fields are only present for specific types of events (e.g., file access, system calls):
| Field | Description | Example |
|---|---|---|
| inode | Inode number of the file. | "inode": "12345" |
| path | Full path to the file or resource. | "/etc/passwd" |
| obj_type | Type of object (e.g., file, directory, socket). |
"file" |
| result | Result of the operation (e.g., success, failure). |
"success" |
| syscall | System call name (e.g., open, read, write). |
"open" |
| name | Name of the file or resource (without path). | "passwd" |
4. How to Use These Fields
Using ausearch to Query Specific Fields
# Search for file access events with "open" action
ausearch --action "open" --format="host,user,action,msg"
Using ausearch --list to See All Available Keys
ausearch --list
This lists all available fields (e.g., audit_serial, time, user, auid, session, host, pid, comm, exe, args, action, msg, etc.).
Extracting Nested Fields
# Extract file paths from events
ausearch --raw | jq '.[] | .msg.file.path'
Filtering by Result
# Find failed file write operations
ausearch --result "failure" --format="host,user,action,msg"
Example: Full Audit Record
A raw audit record might look like this (simplified):
{
"audit_serial": 123456,
"time": 1696166400,
"user": 1001,
"auid": 1001,
"session": 1234,
"host": "example.com",
"pid": 1234,
"comm": "bash",
"exe": "/bin/bash",
"args": "ls -l /tmp",
"action": "open",
"msg": {
"file": {
"path": "/tmp/testfile",
"inode": "789012",
"type": "file"
},
"res": "success"
}
}
Notes
- Field Availability: Not all fields are present in every event. For example,
inodeorpathmay be missing for certain events. - Performance: Querying nested fields (e.g.,
msg.file.path) can be slower than simple fields likeuseroraction. - Tools: Use
ausearch --rawfor raw JSON output oraureportfor structured reports.
These examples should help you efficiently query, analyze, and manage audit logs using auditd tools. A good olid AuditD rules file to start from is maintained on Github by Neo23x0. This is a good starting point that covers a lot of the bases out the gate. If you’re in a Dod Environment, be sure to reference requirements listed in the Applicable STIG for your operating system.