# Auditing System Events with auditd To manage security on Photon OS, the Linux auditing service `auditd` is enabled and active by default on the full version of Photon OS. The folloiwng command shows the security status: ``` systemctl status auditd * auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2016-04-29 15:08:50 UTC; 1 months 9 days ago Main PID: 250 (auditd) CGroup: /system.slice/auditd.service `-250 /sbin/auditd -n ``` To help improve security, the `auditd` service can monitor file changes, system calls, executed commands, authentication events, and network access. After you implement an audit rule to monitor an event, the `aureport` tool generates reports to display information about the events. You can use the auditctl utility to set a rule that monitors the `sudoers` file for changes: auditctl -w /etc/sudoers -p wa -k sudoers_changes This rule specifies that the auditd service must watch (`-w`) the `/etc/sudoers` file to log permissions changes (`-p`) to the write access (`w`) or attributes (`a`) of the file and to identify them in logs as `sudoers_changes`. The auditing logs appear in `/var/log/audit/audit.log`. You can list the auditing rules as follows: auditctl -l -w /etc/sudoers -p wa -k sudoers_changes For more information on the Linux Audit Daemon, see the `auditd` man page: man auditd For more information on setting auditing rules and options, see the `auditctl` man page: man auditctl For more information on viewing reports on audited events, see the `aureport` man page: man aureport