How do I monitor security-related changes made to the file system on my EC2 Linux instance?

4 minute read

I want to turn on the Linux Audit system to monitor changes to the file system on my Amazon Elastic Compute Cloud (Amazon EC2) instance.

Short description

The Linux Audit system tracks access to important files and creates an audit trail in case of file corruption or other unintended changes. You can use the Linux Audit system to track changes to files in Amazon Elastic File System (Amazon EFS) or any other file system type. If you configure the audit system to log many types of information, then this might impact your local system's performance. After you install the Linux Audit system on your system, you can create rules that monitor the activity on your file system.

To track all changes to your file system, turn on the Linux Audit system on every client that mounts your file system.

Note: When you run the auditd component, it might affect the performance of your system. For more information, see Is there any system performance penalty to enable auditing? on the Red Hat website.


  1. Connect to your EC2 instance with SSH as ec2-user/ubuntu/root user. Replace ubuntu with the username for your AMI.

  2. Install the audit package:

    RHEL and CentOS

    # sudo yum install audit

    SUSE Linux

    # sudo zypper install audit


    # sudo apt install auditd
  3. Create rules for the Linux Audit system. To test rules initially, use the command auditctl to immediately add or remove rules.

    Note: The following examples show rules for an EFS file system.

    Use the following command to monitor all activity for your file system's mount location:

    $ auditctl -w /home/ec2-user/efs -k efs_changes

    Here are examples of actions that you can configure the audit system to log:

    $ mkdir dir1
    $ touch file1
    $ touch file2
    $ mv file1 file3
    $ rm -f file2
    $ chmod 600 file3
    $ rmdir dir1
    $ rm -f file3
  4. Run the ausearch -k efs_changes command to view the audit log. The following example shows the audit log for the mkdir command, based on the example operations from Step 3:

    time->Thu Jan  9 21:30:59 2020
    type=PROCTITLE msg=audit(1578605459.080:127433): proctitle=6D6B6469720064697231
    type=PATH msg=audit(1578605459.080:127433): item=1 name="dir1" inode=4989235361872937641 dev=00:16 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
    type=PATH msg=audit(1578605459.080:127433): item=0 name="/home/ec2-user/efs/audit" inode=12759736523397539955 dev=00:16
        mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
    type=CWD msg=audit(1578605459.080:127433): cwd="/home/ec2-user/efs/audit"
    type=SYSCALL msg=audit(1578605459.080:127433): arch=c000003e syscall=83 success=yes exit=0 a0=7fffe6aca6e1 a1=1ff a2=1ff a3=7fffe6ac7720 items=2 ppid=18661 pid=2948 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=18369 comm="mkdir" exe="/bin/mkdir"     key="efs_changes"

    This example shows the raw audit log. The audit log contains a large amount of information for each operation.

    To create a shorter output in the audit log, run the aureport command. This version still shows all of the operations:

    $ ausearch -k efs_changes | aureport -f -i
    10118. 01/09/2020 21:36:29 file1 open yes /bin/touch ec2-user 127450
    10119. 01/09/2020 21:36:29 dir1 mkdir yes /bin/mkdir ec2-user 127449
    10120. 01/09/2020 21:36:29 file2 open yes /bin/touch ec2-user 127451
    10121. 01/09/2020 21:36:29 file3 rename yes /bin/mv ec2-user 127452
    10122. 01/09/2020 21:36:29 file2 unlinkat yes /bin/rm ec2-user 127453
    10123. 01/09/2020 21:36:29 file3 fchmodat yes /bin/chmod ec2-user 127454
    10124. 01/09/2020 21:36:29 dir1 rmdir yes /bin/rmdir ec2-user 127455
    10125. 01/09/2020 21:36:35 file3 unlinkat yes /bin/rm ec2-user 127456

    Keep in mind that you don't have to log all operations. For example, you can create a rule to log only delete-related actions:

    auditctl -a always,exit -F arch=b64 -F dir=/home/ec2-user/efs -S unlink -S unlinkat -S rename -S renameat  -S rmdir -k efs_changes

    If you run the example commands from Step 3, then only the specified delete-related commands appear in the log:

    10126. 01/09/2020 22:17:08 file3 rename yes /bin/mv ec2-user 127519
    10127. 01/09/2020 22:17:08 file2 unlinkat yes /bin/rm ec2-user 127520
    10128. 01/09/2020 22:17:08 dir1 rmdir yes /bin/rmdir ec2-user 127521
    10129. 01/09/2020 22:17:09 file3 unlinkat yes /bin/rm ec2-user 127522
  5. To make the rules persistent, configure them in the /etc/audit/audit.rules file. For more information, see Defining persistent audit rules and controls in the /etc/audit/audit.rules file on the Red Hat website.

Related information

System auditing on the Red Hat website

Customized file monitoring with Auditd on the Red Hat website

AWS OFFICIALUpdated 7 months ago