Notes
Notes - notes.io |
3️⃣ Why sometimes even root can’t change rules
Kernel immutable flag (auditctl -s → enabled = 2)
2 = auditing fully enabled, immutable
Once set, even root cannot delete/change rules until reboot
Only reboot with modified /etc/audit/rules.d can change them
SELinux or other LSM could also prevent modifications (rare but possible)
4️⃣ How to check if rules are immutable
auditctl -s
Look for enabled field:
Value Meaning
0 disabled
1 enabled
2 enabled & immutable (cannot change)
5️⃣ How rules are loaded
Check persistent rules:
ls /etc/audit/rules.d/
cat /etc/audit/rules.d/audit.rules
They are loaded at boot via:
systemctl status auditd
auditd reads /etc/audit/rules.d/*.rules and sets kernel audit tables
6️⃣ If you want to temporarily test new rules
auditctl -w /tmp/testfile -p wa -k testfile
Works only if auditing is not immutable
Lost on reboot
7️⃣ Summary in simple terms
Concept Your situation
Audit enabled? Yes (auditd active)
Rules persistent? Yes (/etc/audit/rules.d/)
Can root change rules? Only if kernel not immutable
Are rules immutable? Likely yes (enabled=2)
Why? Preconfigured at boot by OS / security policy
💡 Bottom line:
Your rules are preloaded at boot from /etc/audit/rules.d/.
Kernel flag enabled=2 makes them immutable, so even root cannot change them on the fly.
To modify permanently → edit rules file and reboot.
If you want, I can make a small diagram showing auditd flow: boot → kernel rules → runtime → immutable, which makes this very easy to explain to your team.
Do you want me to do that?
so in from my rule what i can track in shorts with audit commands
Perfect — let’s summarize exactly what you can track from your current audit rules and how to query them using audit commands. I’ll keep it concise and technical.
1️⃣ What your rules are currently tracking
From your auditctl -l output:
Rule Type What it tracks Example audit key
-a always,exit -S adjtimex,settimeofday,clock_settime System time changes time-change
-w /etc/passwd -p wa /etc/passwd modifications passwordfile
-w /etc/shadow -p wa /etc/shadow modifications shadowpasswordfile
-w /etc/group -p wa /etc/group changes groupfile
-w /etc/gshadow -p wa /etc/gshadow changes shadowgroupfile
-w /var/log/faillog -p wa Failed logins logins
-w /var/log/lastlog -p wa Last login updates logins
-w /var/log/tallylog -p wa Login failures logins
-w /var/run/utmp -p wa Active sessions session
-w /var/log/wtmp -p wa Session logs session
-w /var/log/btmp -p wa Bad login attempts session
-a always,exit -S chmod,chown,setxattr Permission/ownership changes perm_mod
-a always,exit -S mount Mount/unmount operations mounts
-w /etc/sudoers & /var/log/sudo.log Sudo edits and usage scope, actions
-a always,exit -S init_module,delete_module & /sbin/modprobe Kernel module load/unload modules
2️⃣ Commands to check these events
a) Check all recent events
ausearch -ts today
b) Check by audit key
# Example: find all passwd changes
ausearch -k passwordfile
# System time changes
ausearch -k time-change
# Failed logins
ausearch -k logins
# Session activity
ausearch -k session
# Module load/unload
ausearch -k modules
c) Check by PID or user
# All events for a specific PID
ausearch -p 4140375
# All events by a specific user
ausearch -ua ora19c
d) Show human-readable summary
# Convert raw audit logs to readable form
aureport -x # Executable events
aureport -f # File access/changes
aureport -m # Modules
3️⃣ Quick “shorts” summary
What you want How to check
File changes (/etc/passwd, /etc/shadow, etc.) ausearch -k passwordfile
Time changes ausearch -k time-change
Login/session activity ausearch -k session
Failed logins ausearch -k logins
Sudo actions ausearch -k actions
Permission/ownership changes ausearch -k perm_mod
Mount/unmount ausearch -k mounts
Kernel modules ausearch -k modules
By PID ausearch -p <PID>
By user ausearch -ua <username>
💡 Tip:
You can always combine filters, e.g.:
ausearch -p 4140375 -k perm_mod -ts 2026-03-13
Shows permission changes for PID 4140375 on 13th March
Perfect for RCA of killed processes
If you want, I can make a one-line cheat sheet for your system, mapping all your current audit rules → exact ausearch commands.
Do you want me to do that?
Kernel immutable flag (auditctl -s → enabled = 2)
2 = auditing fully enabled, immutable
Once set, even root cannot delete/change rules until reboot
Only reboot with modified /etc/audit/rules.d can change them
SELinux or other LSM could also prevent modifications (rare but possible)
4️⃣ How to check if rules are immutable
auditctl -s
Look for enabled field:
Value Meaning
0 disabled
1 enabled
2 enabled & immutable (cannot change)
5️⃣ How rules are loaded
Check persistent rules:
ls /etc/audit/rules.d/
cat /etc/audit/rules.d/audit.rules
They are loaded at boot via:
systemctl status auditd
auditd reads /etc/audit/rules.d/*.rules and sets kernel audit tables
6️⃣ If you want to temporarily test new rules
auditctl -w /tmp/testfile -p wa -k testfile
Works only if auditing is not immutable
Lost on reboot
7️⃣ Summary in simple terms
Concept Your situation
Audit enabled? Yes (auditd active)
Rules persistent? Yes (/etc/audit/rules.d/)
Can root change rules? Only if kernel not immutable
Are rules immutable? Likely yes (enabled=2)
Why? Preconfigured at boot by OS / security policy
💡 Bottom line:
Your rules are preloaded at boot from /etc/audit/rules.d/.
Kernel flag enabled=2 makes them immutable, so even root cannot change them on the fly.
To modify permanently → edit rules file and reboot.
If you want, I can make a small diagram showing auditd flow: boot → kernel rules → runtime → immutable, which makes this very easy to explain to your team.
Do you want me to do that?
so in from my rule what i can track in shorts with audit commands
Perfect — let’s summarize exactly what you can track from your current audit rules and how to query them using audit commands. I’ll keep it concise and technical.
1️⃣ What your rules are currently tracking
From your auditctl -l output:
Rule Type What it tracks Example audit key
-a always,exit -S adjtimex,settimeofday,clock_settime System time changes time-change
-w /etc/passwd -p wa /etc/passwd modifications passwordfile
-w /etc/shadow -p wa /etc/shadow modifications shadowpasswordfile
-w /etc/group -p wa /etc/group changes groupfile
-w /etc/gshadow -p wa /etc/gshadow changes shadowgroupfile
-w /var/log/faillog -p wa Failed logins logins
-w /var/log/lastlog -p wa Last login updates logins
-w /var/log/tallylog -p wa Login failures logins
-w /var/run/utmp -p wa Active sessions session
-w /var/log/wtmp -p wa Session logs session
-w /var/log/btmp -p wa Bad login attempts session
-a always,exit -S chmod,chown,setxattr Permission/ownership changes perm_mod
-a always,exit -S mount Mount/unmount operations mounts
-w /etc/sudoers & /var/log/sudo.log Sudo edits and usage scope, actions
-a always,exit -S init_module,delete_module & /sbin/modprobe Kernel module load/unload modules
2️⃣ Commands to check these events
a) Check all recent events
ausearch -ts today
b) Check by audit key
# Example: find all passwd changes
ausearch -k passwordfile
# System time changes
ausearch -k time-change
# Failed logins
ausearch -k logins
# Session activity
ausearch -k session
# Module load/unload
ausearch -k modules
c) Check by PID or user
# All events for a specific PID
ausearch -p 4140375
# All events by a specific user
ausearch -ua ora19c
d) Show human-readable summary
# Convert raw audit logs to readable form
aureport -x # Executable events
aureport -f # File access/changes
aureport -m # Modules
3️⃣ Quick “shorts” summary
What you want How to check
File changes (/etc/passwd, /etc/shadow, etc.) ausearch -k passwordfile
Time changes ausearch -k time-change
Login/session activity ausearch -k session
Failed logins ausearch -k logins
Sudo actions ausearch -k actions
Permission/ownership changes ausearch -k perm_mod
Mount/unmount ausearch -k mounts
Kernel modules ausearch -k modules
By PID ausearch -p <PID>
By user ausearch -ua <username>
💡 Tip:
You can always combine filters, e.g.:
ausearch -p 4140375 -k perm_mod -ts 2026-03-13
Shows permission changes for PID 4140375 on 13th March
Perfect for RCA of killed processes
If you want, I can make a one-line cheat sheet for your system, mapping all your current audit rules → exact ausearch commands.
Do you want me to do that?
|
|
Notes is a web-based application for online taking notes. You can take your notes and share with others people. If you like taking long notes, notes.io is designed for you. To date, over 8,000,000,000+ notes created and continuing...
With notes.io;
- * You can take a note from anywhere and any device with internet connection.
- * You can share the notes in social platforms (YouTube, Facebook, Twitter, instagram etc.).
- * You can quickly share your contents without website, blog and e-mail.
- * You don't need to create any Account to share a note. As you wish you can use quick, easy and best shortened notes with sms, websites, e-mail, or messaging services (WhatsApp, iMessage, Telegram, Signal).
- * Notes.io has fabulous infrastructure design for a short link and allows you to share the note as an easy and understandable link.
Fast: Notes.io is built for speed and performance. You can take a notes quickly and browse your archive.
Easy: Notes.io doesn’t require installation. Just write and share note!
Short: Notes.io’s url just 8 character. You’ll get shorten link of your note when you want to share. (Ex: notes.io/q )
Free: Notes.io works for 14 years and has been free since the day it was started.
You immediately create your first note and start sharing with the ones you wish. If you want to contact us, you can use the following communication channels;
Email: [email protected]
Twitter: http://twitter.com/notesio
Instagram: http://instagram.com/notes.io
Facebook: http://facebook.com/notesio
Regards;
Notes.io Team
