LLMpediaThe first transparent, open encyclopedia generated by LLMs

Auditd

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Percona Toolkit Hop 4
Expansion Funnel Raw 52 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted52
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Auditd
NameAuditd
TitleAuditd
DeveloperRed Hat
Released2002
Programming languageC (programming language)
Operating systemLinux kernel
LicenseGNU General Public License

Auditd Auditd is the userspace component of the Linux kernel auditing system providing event collection, filtering, and logging services. It receives audit records from the Linux kernel auditing subsystem and writes structured entries to disk, supporting analysis for Security-Enhanced Linux, POSIX-style systems, and enterprise platforms from vendors such as Red Hat and SUSE. Administrators deploy it alongside tools like ausearch and augenrules to meet requirements from standards including PCI DSS, HIPAA, and ISO/IEC 27001.

Overview

Auditd operates as a daemon that interfaces with the kernel audit framework, capturing syscall events, file access, and user-session changes. It complements authentication systems like Pluggable Authentication Modules and identity services such as LDAP and Active Directory. Deployments commonly integrate with log collectors like rsyslog, syslog-ng, and Splunk or with Elastic Stack for indexing and long-term retention. Major distributions including Debian (operating system), Ubuntu (operating system), and CentOS ship packages and default configurations to simplify adoption.

Architecture and Components

The architecture separates kernel-side instrumentation from userspace processing. The kernel audit subsystem provides hooks into system call entry/exit points, generating audit records consumed by the auditd daemon via netlink sockets. Key components include the auditd daemon, the auditctl utility, the rule-management tool augenrules, and the parser utilities ausearch and aureport. Storage and rotation are coordinated with tools like logrotate and optional backends such as rsyslog forwarding to SIEM platforms. Integration points often include systemd unit files for service management and SELinux policies for confinement.

Configuration and Rules

Configuration files such as /etc/audit/auditd.conf and /etc/audit/rules.d/*.rules define behavior and rule sets. administrators express rules to monitor syscalls, file watches, network events, and user/group changes using syntax understood by auditctl and augenrules. Rules reference system objects like file paths and syscall numbers and can be enriched with key fields for correlation with Common Event Format or CVE-based triage. Rule sets are versioned in change management systems like Git and often tied to compliance checklists from Center for Internet Security benchmarks.

Usage and Management

Operational tools include ausearch for targeted queries, aureport for summaries, and audisp plugins for event dispatch to external processors. Administrators use auditctl for live modification and augenrules for persistent rule installation during boot. Routine tasks involve managing disk usage with auditd.conf parameters, rotating logs, and forwarding to collectors such as Fluentd or Graylog. Coordination with incident response teams and ticketing systems like JIRA Software or ServiceNow enables traceability of alerts generated from audit trails.

Security and Compliance

Audit trails produced by auditd support investigations of incidents involving privileged accounts, process execution, and file integrity, aiding compliance with SOX, NIST SP 800-53, and sector-specific frameworks like FFIEC guidance. Proper deployment includes tamper-resistance measures: immutability flags in storage, restricted permissions via POSIX ACLs, and forwarding to remote collectors to mitigate local compromise. Audit records often feed threat-hunting workflows used by teams employing playbooks from MITRE ATT&CK and detection rules with YARA or Sigma.

Performance and Troubleshooting

High-volume environments must balance fidelity and overhead by tuning rule granularity, employing syscall whitelisting, and offloading to dedicated collectors. Bottlenecks manifest as dropped events logged by the kernel or auditd and are diagnosed with tools such as perf, strace, and systemd journal introspection. Scaling strategies include partitioning rule scopes, using sampling, and deploying federated collectors that aggregate via Kafka or RabbitMQ. Common failures relate to netlink buffer exhaustion, disk I/O saturation, and misconfigured SELinux policies blocking auditd access, necessitating coordinated troubleshooting with kernel logs and distribution-specific support channels.

Implementations and Integration

Auditd is implemented in C in the canonical distribution maintained upstream by community contributors and enterprise maintainers at vendors like Red Hat and SUSE. It integrates with container runtimes including Docker (software) and containerd, orchestration platforms such as Kubernetes, and virtualization stacks like KVM and Xen (virtual machine monitor), though additional considerations apply for containerized audit collection. Ecosystem tools and adapters exist to translate audit records for analytics engines like Logstash and cloud services from Amazon Web Services and Microsoft Azure.

Category:Linux software