yum install audit


  • Check audit service status: /etc/init.d/auditd status or systemctl status auditd
  • Configuration file: /etc/audit/auditd.conf
  • Audit rules: /etc/audit/audit.rules
  • Report the kernel’s audit subsystem status: auditctl -s
  • List all rules 1 per line: auditctl -l
  • Delete all rules and watches: auditctl -D
  • Add a rule for auditd daemon to monitor file /etc/passwd file: auditctl -w /etc/passwd -k passwd -p w
  • Delete a rule: auditctl -W /etc/passwd -k passwd -p w
  • Search for an event based on the given key string: ausearch -k passwd
  • Search for an event matching the given executable name: ausearch -x /bin/vi
  • Search for an event with the given user ID: ausearch -ui 501
  • Search for events on passwd file today: ausearch --start today -f passwd
  • Extract logs for today: ausearch --start today --raw > audit-raw.log
  • Report about responses to anomaly events: aureport -r
  • Select failed events for processing in the reports: aureport --failed
  • Trace a process similar to strace: autrace /bin/ls /tmp
  • Display the trace: ausearch -i -p 11240
  • Report on the bad logins: aulast --bad