Need help?

Our experts have had an average response time of 11.7 minutes in August 2021 to fix urgent issues.

We will keep your servers stable, secure, and fast at all times for one fixed price.

Configure Linux Audit Rules on EC2 – How we do it

by | Aug 13, 2021

If we configure Linux Audit Rules on EC2 we can track user activity, file changes, and directory changes on the Amazon EC2 Linux instance.

Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.

Today, let us see how to configure the Linux Auditing system to do this.


Linux Audit Rules on EC2

A user-space component of the Linux Audit system, Auditd helps to track suspicious activities. In addition, it helps us to identify areas where we can take additional security measures.

Generally, we use Auditd to:

  • Track the user or application that accesses or modifies files and directories.
  • Track which user runs specific commands.


Configure Linux Audit Rules on EC2

1. Initially, we connect to the EC2 instance via SSH as ec2-user/ubuntu/root user. Then we replace ubuntu with the user name for the AMI.

2. After that to install the audit package, we run:

RHEL and CentOS:

# sudo yum install audit

SUSE Linux:

# sudo zypper install audit


# sudo apt install auditd

3. Now we go ahead and create audit rules.

We can find the Audit rules in the /etc/audit/audit.rules file. However, custom audit rules are in the /etc/audit/rules.d/custom.conf file.

Audit rules defined in files are persistent. We can also implement rules at runtime.

In order to create the audit rules, we run the auditctl command.

Moving ahead, let us see a few example rules.

Track the user or application that access or modify a certain file or directory:

# sudo auditctl -a always,exit -F arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F auid>=500 -F auid!=-1 -F dir=/root/test/ -F key=delete

Track which user runs a specific command.

# sudo auditctl -w /bin/sudo -p rwxa -k sudo

To ensure that the rules persist after a reboot, we edit audit.rules, and then add the following rule to the file:

RHEL 6, CentOS 6, or Amazon Linux 1:
# sudo vi /etc/audit/rules.d/audit.rules
-a always,exit -F arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F auid>=500 -F auid!=-1 -F dir=/root/test/ -F key=delete
-w /bin/sudo -p rwxa -k sudo
RHEL 7, CentOS 7, or Amazon Linux 2:
# sudo vi /etc/audit/rules.d/audit.rules
-a always,exit -F arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F auid>=500 -F auid!=-1 -F dir=/root/test/ -F key=delete
-w /bin/sudo -p rwxa -k sudo

4. Eventually, once we make the changes we restart the auditd service. We need to make sure that the auditd service is set to run on boot.

# sudo chkconfig auditd on
# sudo service auditd start
# sudo service auditd stop
# sudo service auditd restart

Our Support Techs recommend using the service command instead of the systemctl command in CentOS and RHEL 7 to restart the auditd service.

5. Finally, we run the ausearch command to read the audit logs.

Let us see a few example audit logs:

In the following example, user ec2-user (uid = ec2-user) deletes the file /root/test/example.txt.

# sudo ausearch -i -k delete

type=PROCTITLE msg=audit(04/04/20 19:41:51.231:3303) : proctitle=rm -rf /root/test/example.txt
type=PATH msg=audit(04/04/20 19:41:51.231:3303) : item=1 name=/root/test/example.txt inode=16777349 dev=ca:01 mode=file,777 ouid=root ogid=root
rdev=00:00 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/04/20 19:41:51.231:3303) : item=0 name=/tmp/test/ inode=16777328 dev=ca:01 mode=dir,777 ouid=root ogid=root rdev=00:00 nametype=PARENT cap_fp=none cap_fi=none
cap_fe=0 cap_fver=0
type=CWD msg=audit(04/04/20 19:41:51.231:3303) : cwd=/home/ec2-user
type=SYSCALL msg=audit(04/04/20 19:41:51.231:3303) : arch=x86_64 syscall=unlinkat success=yes exit=0 a0=0xffffff9c a1=0xc5f290 a2=0x0 a3=0x165 items=2 ppid=3645
pid=933 auid=ec2-user uid=ec2-user gid=ec2-user euid=ec2-user suid=ec2-user fsuid=ec2-user egid=ec2-user sgid=ec2-user fsgid=ec2-user tty=pts0 ses=1 comm=rm exe=/usr/bin/rm key=delete

Here, the user ec2-user (uid= 1000) ran the command sudo su – with sudo privilege.

# sudo ausearch -k sudo

time->Mon Apr 6 18:33:26 2020
type=PROCTITLE msg=audit(1586198006.631:2673): proctitle=7375646F007375002D type=PATH msg=audit(1586198006.631:2673): item=1 name="/lib64/" inode=5605 dev=103:05 mode=0100755 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1586198006.631:2673):
item=0 name="/usr/bin/sudo" inode=12800710 dev=103:05 mode=0104111 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1586198006.631:2673): cwd="/home/ec2-user"
type=EXECVE msg=audit(1586198006.631:2673): argc=3 a0="sudo" a1="su" a2="-"
type=SYSCALL msg=audit(1586198006.631:2673): arch=c000003e syscall=59 success=yes exit=0 a0=e8cce0 a1=e8c7b0 a2=e61720 a3=7ffde58ec0a0 items=2 ppid=2658 pid=3726 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000
tty=pts0 ses=4 comm="sudo" exe="/usr/bin/sudo" key="script"

[Stuck with the configuration? We’d be happy to assist]



In short, we saw how our Support Techs configure Linux Audit Rules.


Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.


var google_conversion_label = "owonCMyG5nEQ0aD71QM";


Submit a Comment

Your email address will not be published. Required fields are marked *

Privacy Preference Center


Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]


Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid


Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie


These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.