How to Set Up Auditd

Step 1: Install Auditd

sudo apt install auditd -y

Step 2: Start and Enable

sudo systemctl start auditd
sudo systemctl enable auditd

Step 3: Add Audit Rules

sudo auditctl -w /etc/passwd -p wa -k passwd_changes
sudo auditctl -w /etc/ssh/sshd_config -p wa -k sshd_changes
sudo auditctl -w /var/log/auth.log -p r -k auth_log

Step 4: Make Rules Persistent

sudo nano /etc/audit/rules.d/audit.rules

Add the rules and save.

Step 5: View Audit Logs

sudo ausearch -k passwd_changes