How to Perform a System Security Audit with auditd on RHEL 8

The Linux Audit system (auditd) provides a comprehensive security logging framework that records system calls, file accesses, and user actions at the kernel level. On RHEL 8, auditd is installed and enabled by default, making it a foundational component of any security compliance strategy. Whether meeting requirements for PCI-DSS, HIPAA, or internal policy, audit rules give administrators precise, tamper-evident records of who did what on a system. This tutorial walks through configuring auditd, writing meaningful audit rules, and analyzing the resulting log data.

Prerequisites

• A RHEL 8 system with root or sudo access
• auditd installed and running (default on RHEL 8)
• Basic familiarity with the Linux filesystem and system calls

Step 1 — Verifying auditd Status and Configuration File

Confirm that auditd is active and review the main configuration file before making any changes.

# Verify auditd is running
systemctl status auditd

# Ensure it is enabled to start at boot
systemctl enable auditd

# View the main configuration file
cat /etc/audit/auditd.conf

# Key settings to review:
# log_file = /var/log/audit/audit.log
# max_log_file = 8              (MB per log file)
# max_log_file_action = ROTATE
# num_logs = 5                  (number of rotated logs to keep)
# space_left_action = SYSLOG

The defaults are appropriate for most environments; increase max_log_file and num_logs on systems with high audit volume.

Step 2 — Adding Audit Rules for File Watching

Persistent audit rules are stored in /etc/audit/rules.d/audit.rules and loaded on auditd start. The -w flag watches a file or directory, -p sets the permission triggers (read, write, execute, attribute change), and -k assigns a searchable keyword tag.

# Edit the persistent rules file
vi /etc/audit/rules.d/audit.rules

# Add rules to watch critical files:

# Monitor changes to /etc/passwd (user account modifications)
-w /etc/passwd -p wa -k passwd_changes

# Monitor changes to /etc/shadow (password hash changes)
-w /etc/shadow -p wa -k shadow_changes

# Monitor changes to sudoers
-w /etc/sudoers -p wa -k sudoers_changes

# Watch the /etc/ssh directory for any access
-w /etc/ssh -p rwa -k ssh_config_access

# Reload auditd to apply the new rules
service auditd restart

Step 3 — Managing Rules at Runtime with auditctl

auditctl lets you add, delete, and list rules immediately without restarting auditd. Runtime rules are lost on reboot; use them for temporary investigations or testing before committing to the rules file.

# List all currently active audit rules
auditctl -l

# Add a temporary file-watch rule at runtime
auditctl -w /tmp -p wa -k tmp_writes

# Delete a specific runtime rule
auditctl -W /tmp -p wa -k tmp_writes

# Add a syscall rule — log all execve calls by non-root users
auditctl -a always,exit -F arch=b64 -S execve -F uid!=0 -k user_commands

# Check audit status (enabled/disabled, kernel backlog, etc.)
auditctl -s

Step 4 — Monitoring System Calls with auditctl

Beyond file watches, auditd can monitor specific system calls. This is useful for detecting privilege escalation attempts, unauthorized network binds, or sensitive file operations.

# Log all chmod/chown calls on 64-bit architecture
auditctl -a always,exit -F arch=b64 -S chmod -S chown -k permission_changes

# Monitor setuid/setgid usage (potential privilege escalation)
auditctl -a always,exit -F arch=b64 -S setuid -S setgid -k setuid_setgid

# Add rules persistently in /etc/audit/rules.d/audit.rules:
-a always,exit -F arch=b64 -S chmod -S chown -k permission_changes
-a always,exit -F arch=b64 -S setuid -S setgid -k setuid_setgid

# Reload after editing the rules file
service auditd restart

Step 5 — Searching Audit Logs with ausearch

ausearch queries the audit log using the keyword tags, user IDs, timestamps, and other fields defined in your rules. It is the primary tool for investigating specific events.

# Search for all events tagged with passwd_changes
ausearch -k passwd_changes

# Search for events from a specific user (by UID)
ausearch -ua 1001

# Search for events in a time range
ausearch --start 05/17/2026 08:00:00 --end 05/17/2026 18:00:00

# Search for failed events only
ausearch -k passwd_changes --success no

# Interpret raw ausearch output in human-readable format (pipe through aureport)
ausearch -k passwd_changes | aureport -f --input-logs

Step 6 — Generating Summary Reports with aureport

aureport produces pre-formatted summary reports from the audit log, providing an at-a-glance view of audit activity suitable for daily security reviews.

# Print a high-level summary of all audit events
aureport --summary

# Report on authentication events (logins, sudo, etc.)
aureport --auth

# Report on file access events
aureport --file

# Report on anomaly events
aureport --anomaly

# Report on events for the current day
aureport --start today --end now --summary

# Report on failed events
aureport --failed

Conclusion

You have configured auditd on RHEL 8 with file-watch rules and syscall monitoring, used auditctl to manage rules at runtime, and leveraged ausearch and aureport to query and report on audit data. A well-maintained audit policy provides an immutable record of system activity that is essential for incident response and compliance verification. Regularly review aureport --summary output and rotate logs according to your retention policy.

Next steps: How to Use journalctl for Systemd Log Analysis on RHEL 8, How to Manage System Packages with dnf on RHEL 8, and How to Configure Network Interface Settings with nmcli on RHEL 8.