How to Use `auditd` for Auditing System Activity on Debian 12 Bookworm

This article provides a step-by-step guide on how to use auditd for auditing system activity on a Debian 12 Bookworm system.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  5 minute read  

System auditing is a fundamental aspect of Linux system administration, especially in environments where compliance, security, and accountability are a priority. On Debian 12 Bookworm, the auditd daemon offers a robust and configurable way to track system activity in detail. Whether you’re tracking file access, user actions, or kernel events, auditd gives you a powerful set of tools to monitor and record what’s happening under the hood of your system.

In this article, we’ll walk through the complete process of installing, configuring, and using auditd on Debian 12 Bookworm, exploring its features and showing practical examples along the way.

What is auditd?

auditd is the user-space component of the Linux Auditing System. It listens for audit events generated by the Linux kernel and logs them to disk for review and analysis. The audit system can log everything from failed logins to changes in file permissions or modifications to sensitive configuration files.

Some typical use cases include:

  • Monitoring user activity
  • Tracking access to sensitive files
  • Investigating suspicious behavior
  • Ensuring compliance with standards such as PCI-DSS or HIPAA

The audit system is governed by a set of rules that determine which events are logged, offering high granularity and flexibility.

Step 1: Installing auditd on Debian 12

To get started, you’ll need to install the auditd package, which includes both the daemon and supporting utilities like auditctl and ausearch.

sudo apt update
sudo apt install auditd audispd-plugins

Once installed, the audit daemon starts automatically. You can check its status with:

sudo systemctl status auditd

You should see output indicating that auditd is active and running.

Step 2: Basic Configuration of auditd

The main configuration file for auditd is located at /etc/audit/auditd.conf. This file controls how the daemon behaves, including where it logs data, how much space to use, and what to do when storage runs out.

Here are some important options:

  • log_file = /var/log/audit/audit.log — The main log file.
  • log_format = RAW — Can be RAW or ENRICHED.
  • max_log_file = 8 — Maximum log file size in MB.
  • num_logs = 5 — How many rotated logs to keep.
  • space_left_action = SYSLOG — What action to take when disk space is low.
  • admin_space_left_action = SUSPEND — What action to take when space is critically low.

After making changes to this file, reload the service:

sudo systemctl restart auditd

Step 3: Writing Audit Rules

Audit rules define what events should be logged. You can apply rules dynamically with auditctl or configure them permanently in /etc/audit/rules.d/audit.rules.

Example 1: Audit All Access to /etc/passwd

sudo auditctl -w /etc/passwd -p rwxa -k passwd_monitor

Explanation:

  • -w sets a watch on the file.
  • -p rwxa enables auditing for read, write, execute, and attribute changes.
  • -k passwd_monitor is a key to identify the rule in logs.

To make this rule persistent, add the same line to a file like /etc/audit/rules.d/file_watches.rules.

Example 2: Audit All Commands Run by Users

sudo auditctl -a always,exit -F arch=b64 -S execve -k user_cmd

This rule audits every execve() syscall (which is used to run programs) on 64-bit systems.

For 32-bit systems, also add:

sudo auditctl -a always,exit -F arch=b32 -S execve -k user_cmd

Step 4: Using ausearch to Analyze Logs

Once auditd is running and collecting logs, you’ll want to review them using ausearch.

Example: Search for all events tagged with a specific key

sudo ausearch -k passwd_monitor

Example: Search by User ID

sudo ausearch -ua 1000

Example: Search by Date Range

sudo ausearch -ts 04/07/2025 08:00:00 -te 04/07/2025 12:00:00

These queries help you sift through large volumes of log data effectively.

Step 5: Reporting with aureport

For summary reports, aureport provides a high-level overview of audit data.

Show a summary report of all events

sudo aureport

Show login events

sudo aureport -l

Show file access events

sudo aureport -f

These reports are especially useful for system administrators doing periodic reviews.

Step 6: Integrating Audit with auditd Plugins

The audispd daemon allows forwarding of audit events to other systems or processes. For example, you can forward audit logs to a remote SIEM (Security Information and Event Management) solution using the audisp-remote plugin.

To enable it, edit the plugin configuration:

sudo nano /etc/audisp/plugins.d/au-remote.conf

Set:

active = yes

Then configure /etc/audisp/audisp-remote.conf with the remote host details:

remote_server = 192.168.1.100
port = 60

Restart the daemon:

sudo systemctl restart auditd

Step 7: Setting Auditd to Start on Boot

auditd is typically enabled by default, but to make sure it starts on boot:

sudo systemctl enable auditd

Also, consider adding a kernel parameter to lock down audit settings from tampering:

Edit GRUB configuration:

sudo nano /etc/default/grub

Add audit=1 audit_backlog_limit=64 to the GRUB_CMDLINE_LINUX_DEFAULT line:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash audit=1 audit_backlog_limit=64"

Update GRUB:

sudo update-grub

Then reboot the system.

Step 8: Best Practices

To use auditd effectively and responsibly, keep the following best practices in mind:

  1. Avoid Overlogging: Be selective about what you audit. Auditing everything can impact system performance and fill up disk space quickly.
  2. Monitor Storage Usage: Keep an eye on /var/log/audit/ to ensure logs don’t consume excessive space.
  3. Review Regularly: Automate daily or weekly checks using cron and aureport.
  4. Secure Log Files: Ensure that /var/log/audit is readable only by root.
  5. Backup Important Logs: Rotate and archive audit logs periodically to maintain a historical record.

Conclusion

Auditing with auditd on Debian 12 Bookworm gives you deep visibility into the inner workings of your system. From file access and user activity to system calls and policy violations, auditd is an indispensable tool for anyone managing secure or sensitive Linux environments.

By combining dynamic rules, thorough log analysis tools, and reporting utilities, you can maintain both oversight and accountability over your Debian systems. And with proper configuration, integration, and discipline, auditd becomes more than just a monitoring tool—it becomes a cornerstone of your system security posture.

Whether you’re securing a server farm, meeting compliance standards, or simply learning how Linux works under the hood, mastering auditd is a significant step forward.


< How to Create Custom systemd Units on Debian 12 BookwormHow to Build a Custom Debian ISO Image on Debian 12 Bookworm >