Member-only story
How I Use AuditD to Catch Silent Security Threats on Linux
--
Share
✍️ Full Blog Content:
Intro:
Some attacks don’t show up in your logs. They don’t crash services or trigger alerts. They quietly change permissions, edit files, or execute binaries you weren’t expecting. That’s where AuditD comes in — the Linux auditing daemon that tells you exactly what happened, when, and by whom. Here’s how I set it up and use it to monitor the parts of my system that attackers love to touch.
1. Installing AuditD
✅ Ubuntu:
sudo apt install auditd
✅ Red Hat:
sudo yum install audit
Then enable and start it:
sudo systemctl enable auditdsudo systemctl start auditd
2. Monitor Access to /etc/passwd and /etc/shadow
These files are often targeted for privilege escalation or user creation.
auditctl -w /etc/passwd -p wa -k passwd_watchauditctl -w /etc/shadow -p wa -k shadow_watch
✅ Check activity:
ausearch -k passwd_watch
Top comments (0)