Audit File Access on Linux

Install the auditd packages on Debian/Ubuntu etc.

apt install auditd audispd-plugins

I didn’t add sudo by security but it is most probably required.

Then start the service if necessary:

systemctl start auditd

You can now create audit rules for files you want to inspect based on a set of rules.

auditctl -w /etc/hosts -p war -k hosts-file


  • w is the path to the file to watch
  • p is permissions filter (write, append, read)
  • k is a key to uniquely identify the audit records produced by the watch

Check that your rule is listed:

$ auditctl -l
-w /etc/hosts -p rwa -k hosts-file

Now we just have to wait for auditctl to log some events!

As we used a filter key for our rule (hosts-file) it is easy to search for event with the following command:

ausearch -ts today -k hosts-file