Member-only story

How I Use AuditD to Catch Silent Security Threats on Linux

2 min readMay 8, 2025

✍️ Full Blog Content:

Intro:

Some attacks don’t show up in your logs. They don’t crash services or trigger alerts. They quietly change permissions, edit files, or execute binaries you weren’t expecting. That’s where AuditD comes in — the Linux auditing daemon that tells you exactly what happened, when, and by whom. Here’s how I set it up and use it to monitor the parts of my system that attackers love to touch.

1. Installing AuditD

✅ Ubuntu:

sudo apt install auditd

✅ Red Hat:

sudo yum install audit

Then enable and start it:

sudo systemctl enable auditd
sudo systemctl start auditd

2. Monitor Access to `/etc/passwd` and `/etc/shadow`

These files are often targeted for privilege escalation or user creation.

auditctl -w /etc/passwd -p wa -k passwd_watch
auditctl -w /etc/shadow -p wa -k shadow_watch

✅ Check activity:

ausearch -k passwd_watch

3. Watch for Unexpected Binary Executions

How I Use AuditD to Catch Silent Security Threats on Linux

✍️ Full Blog Content:

Intro:

1. Installing AuditD

2. Monitor Access to `/etc/passwd` and `/etc/shadow`

3. Watch for Unexpected Binary Executions

Written by Faruk Ahmed

No responses yet

How I Use AuditD to Catch Silent Security Threats on Linux

✍️ Full Blog Content:

Intro:

1. Installing AuditD

2. Monitor Access to /etc/passwd and /etc/shadow

3. Watch for Unexpected Binary Executions

Written by Faruk Ahmed

No responses yet

2. Monitor Access to `/etc/passwd` and `/etc/shadow`