Frequently Asked Question

What is auditd and how do I use it for tamper-evident logging?

The Linux Audit subsystem is a kernel feature that emits events for system calls, file accesses, and authentication actions; auditd is the userspace daemon that reads those events from a netlink socket and writes them to /var/log/audit/audit.log. Rules are loaded with auditctl at runtime or made persistent in /etc/audit/rules.d/*.rules. A typical rule like -w /etc/passwd -p wa -k passwd_changes says "watch /etc/passwd for writes and attribute changes, tag them with the key passwd_changes", and ausearch -k passwd_changes queries the log.

For tamper-evidence the trick is to get the events off the local machine quickly. The audit daemon's audisp plug-in framework can forward events in real time via audisp-remote to a central collector, or via journald and systemd-journal-remote to a write-only log host. Once a copy is offsite, a successful intruder cannot edit /var/log/audit/audit.log to hide their tracks without also compromising the log host, which raises the bar substantially.

Compliance regimes such as PCI-DSS, HIPAA, and the various ISO/IEC 27000 controls effectively require this style of logging. Even outside formal compliance, a sensible baseline is to audit changes to /etc/passwd, /etc/shadow, /etc/sudoers, authorized_keys files, and any setuid binary the package manager did not install.