• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • VCS
  • Interview Questions
  • Database
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

Audit rules for monitoring Copy, move, delete and kill Commands In Linux

by admin

System auditing with auditd

System auditing is a very important task that should be a part of every server. It allows us to audit minute details related to what exactly is happening within the system. auditd is a userspace component to the Linux auditing system. This means that system users will be able to run auditd to configure rules and alerts for auditing functionality with the Linux system.

One of the best things about auditd is that it is tightly integrated with the kernel, so it gives us the power to monitor almost everything we want, really. In order to allow users to see what is going on, auditd can record all the audit-related events to a disk and we can use various tools such as ausearch or aureport to go through the log files.

By default, there are no rules that are configured. We need to write our rules in the /etc/audit/audit.rules configuration file that will be read and the corresponding audit actions will be applied.

Installing Auditd

Now that we somewhat understand what auditd is about, let’s go ahead and get working with auditd with the preceding use case:

1. Install the auditd packages. The auditd packages are a part of the default installation CentOS 7 systems. We can verify it with the following command:

# rpm -qa | grep audit
audit-libs-2.6.5-3.el7_3.1.x86_64
audit-2.6.5-3.el7_3.1.x86_64
audit-libs-python-2.6.5-3.el7_3.1.x86_64

2. If the package is not a part of our system, we can go ahead and install it:

# yum install audit

3. Make sure that the audit daemon is running. We will use the following command:

# systemctl status auditd
 auditd.service - Security Auditing Service
    Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled;
 vendor preset: enabled)
    Active: active (running) since Wed 2018-10-24 04:33:48 UTC; 4min
 21s ago
    Docs: man:auditd(8)
          https://people.redhat.com/sgrubb/audit/
    Process: 425 ExecStartPost=/sbin/augenrules --load (code=exited,
  status=0/SUCCESS)
 Main PID: 424 (auditd)
     CGroup: /system.slice/auditd.service
            └─424 /sbin/auditd -n

Since we have an audit daemon up and running, lets see how we can use auditd to achieve all 4 of the use cases.

Auditd Rules for Copy, move, delete and kill Commands

1. Take a backup of the existing configuration file (auditd rules):

# cp /etc/audit/audit.rules /etc/audit/audit.rules.bkp

2. Edit the file /etc/audit/audit.rules and append the following rules to make it persistent:

# vi /etc/audit/audit.rules
# Audit Copy, Move, Delete & Create file commands
-a exit,always -F arch=b64 -S execve -F path=/bin/cp -k Copy
-a exit,always -F arch=b64 -S execve -F path=/bin/mv -k Move_Rename
-a exit,always -F arch=b64 -S execve -F path=/bin/rm -k Delete
-a exit,always -F arch=b64 -S execve -F path=/bin/vi -k Create_Edit_View_File

# Audit shutdown & Reboot command
-a exit,always -F arch=b64 -S execve -F path=/sbin/reboot -k Reboot
-a exit,always -F arch=b64 -S execve -F path=/sbin/init -k Reboot
-a exit,always -F arch=b64 -S execve -F path=/sbin/poweroff -k Reboot
-a exit,always -F arch=b64 -S execve -F path=/sbin/shutdown -k Reboot

# Audit mount unmount commands
-a exit,always -F arch=b64 -S execve -F path=/bin/mount -k mount_device
-a exit,always -F arch=b64 -S execve -F path=/bin/umount -k unmount_device

# Kill Process
-a exit,always -F arch=b64 -S kill -k Kill_Process

3. Restart the auditd service to apply the changes.

# service auditd restart

4. List the added rules, to verify these are correct:

# auditctl -l
Note: bash (and many other shells) has a built-in “kill” command which doesn’t actually run /usr/bin/kill. So if the built-in command is run instead, comm=bash is correct. There is no way to force the system to use the /usr/bin/kill external program. comm=kill is not going to happen in all cases, because shells can call the syscall directly without running the external program named “kill”

Filed Under: Linux

Some more articles you might also be interested in …

  1. grap Command Examples
  2. “aws rds” Command Examples
  3. flarectl: Official CLI for Cloudflare
  4. “az feedback”: Send feedback to the Azure CLI Team
  5. gh secret set: Create or update GitHub secrets from the command line
  6. fprintd-enroll Command Examples in Linux
  7. ipcrm Command Examples in Linux
  8. id3tag Command Examples
  9. CentOS / RHEL : How to find RPM installation date and time
  10. rdesktop: command not found

You May Also Like

Primary Sidebar

Recent Posts

  • Vanilla OS 2 Released: A New Era for Linux Enthusiasts
  • mk Command Examples
  • mixxx Command Examples
  • mix Command Examples

© 2025 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright