Linux - Configuration - Add Audit Rules for File Integrity Monitoring

What the file integrity audit rules do

This Automox Worklet™ adds critical audit rules to your Linux endpoints to facilitate comprehensive file integrity monitoring. The Worklet configures the auditd system to watch changes to sensitive files including /etc/passwd, /etc/shadow, /etc/group, /etc/gshadow, /etc/audit/, and /var/log/.

The Worklet applies these rules to both /etc/audit/audit.rules and /etc/audit/rules.d/audit.rules, verifying that audit configurations persist across system reboots. After adding any new rules, the Worklet reloads the audit configuration using the augenrules command and verifies that the auditd service is active.

Why monitor file integrity on Linux endpoints

File integrity monitoring detects when unauthorized changes occur to critical system files. Attackers often modify files like /etc/passwd to create backdoor accounts or alter /etc/shadow to change password hashes. By monitoring changes to these files, you can identify and respond to security incidents in real time.

This capability satisfies compliance frameworks including CIS Benchmarks, NIST 800-53, and SOC 2 requirements for audit logging and change detection. Monitoring /var/log/ changes also helps you detect when logs are tampered with, which is often a sign of an active breach.

By establishing file integrity monitoring across your Linux infrastructure, you gain visibility into system changes, strengthen your security posture, and maintain compliance with regulatory standards.

How audit rule configuration works

1. Evaluation phase: The Worklet checks /etc/audit/audit.rules and /etc/audit/rules.d/audit.rules to determine whether audit rules are already present. It verifies that rules exist for monitoring /etc/passwd, /etc/shadow, /etc/group, /etc/gshadow, /etc/audit/, and /var/log/.

2. Remediation phase: If audit rules are missing, the Worklet adds them to both audit configuration files. It then runs augenrules --load to activate the new rules without requiring a reboot. The Worklet verifies that the auditd service is active to maintain monitoring is operational.

File integrity audit requirements

• Linux endpoint with auditd daemon installed and enabled

• Root or sudo access to modify /etc/audit/ files and reload audit rules

• augenrules utility available (provides persistent audit rule management)

• auditd service must be active or you must have the ability to start it manually

• Sufficient disk space for audit logs in /var/log/

Expected state after audit rule configuration

After running this Worklet, your Linux endpoints will monitor changes to all critical system files. Any write or attribute modification to /etc/passwd, /etc/shadow, /etc/group, /etc/gshadow, /etc/audit/, or /var/log/ will be captured in the audit log with the corresponding key tag (passwd_changes, shadow_changes, group_changes, gshadow_changes, audit_changes, or log_changes).

You can verify that audit rules are active by running auditctl -l to list all loaded rules, or query the audit log using ausearch to view recorded file changes. The Worklet maintains these rules persist across reboots, maintaining continuous file integrity monitoring without requiring manual re-configuration.

How to validate add audit rules for file integrity monitoring changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for add audit rules for file integrity monitoring.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as check_audit_rule, local, else.

4. Validate remediation effects from script operations such as add_audit_rule, local, else, then rerun evaluation for compliance.