![Accelerator downloader manager](https://cdn2.cdnme.se/5447227/9-3/18_64e61dfc9606ee7f722fb462.png)
![linux process monitor linux process monitor](https://blog.peterschen.de/content/images/2018/04/process_cl.png)
We can use the auditctl command to control its behavior, get its status, and add or delete rules into the kernel’s audit system. For more information, see Linux man: nf(8).Īudit events to be monitored are selected using rules defined at /etc/audit/rules.d/les. If needed, you may install and enable it with the following commands: apt-get install auditd audispd-plugins yum install audit audit-libs systemctl enable rvicesystemctl start rviceĪudit’s configuration file is stored at /etc/audit/nf and it controls the behavior of the Audit daemon according to our needs. The Linux Audit System is installed by default on most Linux systems.
![linux process monitor linux process monitor](https://www.linuxhowto.net/wp-content/uploads/2020/10/Monitor-Linux-Processes.png)
Using Wazuh we can analyze the events reported by Audit and generate alerts when required, allowing us to be aware of what’s happening in the endpoints, for example, what commands are being executed with root privileges, and deal with possible security risk if required. In this article we will focus on how monitoring root actions on Linux using Auditd and Wazuh. Nevertheless, Audit does not provide additional security itself, it is used with other tools to enhance security.
![linux process monitor linux process monitor](https://i.imgur.com/O5GgwOn.png)
The Linux Audit system takes care of keeping track of what is happening in the operating system by listening to events based on pre-configured rules.
![Accelerator downloader manager](https://cdn2.cdnme.se/5447227/9-3/18_64e61dfc9606ee7f722fb462.png)