Raspberry Pi

How to Monitor File Access on Raspberry Pi Using auditd

File security is a crucial aspect of any system, especially for a Raspberry Pi, which is often used in a variety of applications. auditd is a powerful tool that allows users to monitor and log access to important files on a Raspberry Pi. This can be useful in identifying and preventing unauthorized access, as well as troubleshooting possible security issues. It does this by creating a log file containing metadata about the actions that were taken and the files that were accessed. This log file can be used to troubleshoot and identify suspicious activity or unauthorized access to important files.

Refer to this article’s procedures if you wish to install auditd on a Raspberry Pi system.

How to Install of auditd on a Raspberry Pi

You may learn how to install auditd on a Raspberry Pi by implementing these easy steps:

Step 1: First, use the command supplied below to make sure that all the packages on your system have been updated:

sudo apt update

Step 2: Then you must install Auditd on Raspberry Pi using the apt-get command.

sudo apt-get install auditd


How to Monitor Files Using auditd on Raspberry Pi

The main goal of auditd is to support the control of user behavior. It offers a method to associate activities with certain accounts, allowing administrators to follow what action was taken, who took it, what item or objects were involved, and when the event occurred.

auditd may nearly completely guarantee accountability when used in conjunction with strong security principles like authentication and authorization secured by encryption.

The daemon’s default settings are then established in the file /etc/audit/auditd.conf and you can view it using the following command:

sudo cat /etc/audit/auditd.conf


Many of the file’s crucial parameters are self-explanatory and have sensible defaults. We may utilize a configuration reference for the remainder.

You may need to establish certain rules on the basis on which auditing will be performed on Raspberry Pi.

The file /etc/audit/audit.rules contains default rules, which you can view from the following command:

sudo cat /etc/audit/audit.rules


To add rules effectively, you have to can edit them if you have proper understanding. Otherwise, you can continue with the default one.

How to Start auditd Daemon

If you have changed the rules then you can run the following command to check whether any changes are done in the file.

sudo augenrules --check


Since we go with the default one, so the above command outputs the message “no change”.

In case of change, you must have to load the configuration by using the following command:

sudo augenrules --load


To execute the auditd daemon on Raspberry Pi, use the following command:

sudo auditd


To view the audit.log file for Raspberry Pi system, use the following cat command:

sudo cat /var/log/audit/audit.log


You can also use the auditd command-line tool to monitor a certain activity on the system. Like if you want to monitor the activities performed on “/home/pi” directory, you can use the following command:

sudo ausearch -f /home/pi


Remove auditd from Raspberry Pi

Use the following command in the terminal to remove auditd from the Raspberry Pi system if you are no longer utilizing its features.

sudo apt-get remove auditd



The auditd is a powerful tool to monitor access to important files on a Raspberry Pi. It can be used to set up audit rules to monitor access to specific files, folders, users, or programs. Being able to install it straight from the Raspberry Pi packages repository using the “apt” command makes installation as well as its removal simple.

About the author

Hiba Shafqat

I am a Computer Science student and a committed technical writer by choice. It is a great pleasure to share my knowledge with the world in which I have academic expertise.