Faruk

Posted on Jun 8 • Originally published at Medium

How I Use auditd to Catch Hidden Changes on My Linux Server | by Faruk Ahmed | Jun, 2025

#auditd #changes #linux #audit

Member-only story

How I Use auditd to Catch Hidden Changes on My Linux Server

Sometimes attackers don’t crash your system. They change just one file, set one cron job, or create one backdoor user — and wait.

That’s why I rely on auditd: a powerful, built-in Linux tool that logs exactly what changes, who changed it, and when.

In this blog, I’ll show you how I use auditd to detect shady behavior on both Ubuntu and Red Hat-based systems.

🔧 What is auditd?

auditd (the audit daemon) is part of the Linux Auditing System. It can monitor:

File reads/writes
Permission changes
User logins
Process executions
Configuration changes

It logs to /var/log/audit/audit.log — separate from /var/log/syslog.

✅ Step 1: Install and Enable auditd

Ubuntu:

sudo apt install auditd audispd-plugins

Red Hat:

sudo yum install audit

Enable and start:

sudo systemctl enable auditd --now

🔍 Step 2: Monitor Critical Files

👉 Read Full Blog on Medium Here

Warp is the highest-rated coding agent—proven by benchmarks.

Warp outperforms every other coding agent on the market, and gives you full control over which model you use. Get started now for free, or upgrade and unlock 2.5x AI credits on Warp's paid plans.

Download Warp

Top comments (0)

Some comments may only be visible to logged-in visitors. Sign in to view all comments.

DEV Community