tldr/pages/linux/auditctl.md

# auditctl

> Utility to control the behavior, get status and manage rules of the Linux Auditing System.
> More information: <https://manned.org/auditctl>.

- Display the [s]tatus of the audit system:

`sudo auditctl -s`

- [l]ist all currently loaded audit rules:

`sudo auditctl -l`

- [D]elete all audit rules:

`sudo auditctl -D`

- [e]nable/disable the audit system:

`sudo auditctl -e {{1|0}}`

- Watch a file for changes:

`sudo auditctl -a always,exit -F arch=b64 -F path=/{{path/to/file}} -F perm=wa`

- Recursively watch a directory for changes:

`sudo auditctl -a always,exit -F arch=b64 -F dir=/{{path/to/directory}}/ -F perm=wa`

- Display [h]elp:

`auditctl -h`
auditctl: add page (#12846) 2024-05-28 03:10:15 +02:00			`# auditctl`

			`> Utility to control the behavior, get status and manage rules of the Linux Auditing System.`
			`> More information: <https://manned.org/auditctl>.`

			`- Display the [s]tatus of the audit system:`

			`sudo auditctl -s`

			`- [l]ist all currently loaded audit rules:`

			`sudo auditctl -l`

			`- [D]elete all audit rules:`

			`sudo auditctl -D`

			`- [e]nable/disable the audit system:`

			`sudo auditctl -e {{1\|0}}`

			`- Watch a file for changes:`

*: place leading and trailing slashes in filepaths outside of placeholders (#17541) 2025-08-16 12:54:02 +03:00			`sudo auditctl -a always,exit -F arch=b64 -F path=/{{path/to/file}} -F perm=wa`
auditctl: add page (#12846) 2024-05-28 03:10:15 +02:00
			`- Recursively watch a directory for changes:`

*: place leading and trailing slashes in filepaths outside of placeholders (#17541) 2025-08-16 12:54:02 +03:00			`sudo auditctl -a always,exit -F arch=b64 -F dir=/{{path/to/directory}}/ -F perm=wa`
auditctl: add page (#12846) 2024-05-28 03:10:15 +02:00
			`- Display [h]elp:`

			`auditctl -h`