Add, list and manage Linux audit rules from the shell to track system changes and suspicious activity. 02.07.2026 | reading time: 3 min Want to know who touched a file, which syscalls an application called, or whether a configuration changed? The "auditctl" command speaks to the Linux kernel audit subsystem and lets the administrator add, list and remove audit rules from the command line. Add a watch and inspect rules Do it now: add a file watch, list rules, provoke an event and then remove the rule; commands and a sample result are below in a single code block showing the flow: ```sudo auditctl -w /etc/passwd -p wa -k passwd_changes sudo auditctl -l -w /etc/passwd -p wa -k passwd_changes # provoke an event sudo cp /etc/passwd /tmp/passwd # search the audit log (ausearch shown for context) sudo ausearch -k passwd_changes ---- SAMPLE EVENT ---- node=host type=PATH msg=audit(1625140800.123:45): item=0 name=/etc/passwd inode=12345 mode=0100644 ouid=0``` Quick inspection and kernel state Check what the kernel audit system reports and learn a safe first command: `auditctl -s` shows whether auditing is enabled, the PID of auditd, backlog limits and failure mode; `auditctl -l` prints current rules and `auditctl -D` clears them all, so always verify rules before relying on them in production. Syscall rules and architecture filters When file watches are too coarse, add syscall rules like `auditctl -a always,exit -F arch=b64 -S chmod -S fchmod -k perm_changes` to catch permission changes at the syscall level; mix the `-F` filters to target users, paths, or return values and remember 32/64-bit architecture differences when monitoring binaries. How this fits into a workflow In practice auditctl is used interactively or by init scripts to seed rules, while a persistent rule set is usually managed with higher-level tools that translate rule files into auditctl calls; on busy systems tune rate limits and use keys for efficient searches. Next tools to learn Read on about related utilities and logs: `auditd` collects and writes events, `ausearch` queries the binary audit logs, and `augenrules` compiles rules from configuration files into a runtime set for auditctl. Final view and study path Mastering auditctl opens a powerful avenue to track system activity and harden detection, and a good next step is to practice with a dedicated lab while preparing for certifications like CompTIA Linux+ or LPIC-1; bitsandbytes.academy offers focused exam preparation to turn hands-on skills into credentials. Join Bits & Bytes Academy First class LINUX exam preparation. security utilities infrastructure Dieser Artikel wurde mithilfe von KI erstellt.