BlogLinux & scripting

Auditd rules that matter for compliance

Watch the files and syscalls auditors actually ask about, tune rules by key, and keep signal high without drowning auditd in noise nobody reads.

Dec 17, 2024·9 min readIntermediate

auditd can record every syscall on a host — which is exactly why a default install is useless: it drowns you. A good ruleset watches the specific files and actions auditors and responders actually ask about, keyed so you can find them later.

Rules that earn their place

/etc/audit/rules.d/hardening.rules
# identity changes
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k priv
# every use of sudo/su
-w /usr/bin/sudo -p x -k priv-esc
# unexpected execution from tmp
-a always,exit -F arch=b64 -F dir=/tmp -F perm=x -k exec-tmp
# make the config immutable until reboot
-e 2
Signal vs noise
Noise (avoid)
audit all of /var
every open() syscall
unkeyed rules
no rotation
Signal (keep)
identity + sudoers
privilege escalation
exec from /tmp
keyed for search
bash — who touched passwdlive
ausearch -k identity -i
type=SYSCALL ... uid=1001 comm="vim" name="/etc/passwd"
keyed rules make retrieval one command
-e 2 locks the ruleset
Immutable mode means an attacker who lands on the box cannot quietly disable auditing — but you must reboot to change rules, so land them first.
Go deeper in a courseAdvanced Linux securityauditd, the audit pipeline, and turning logs into detection.View course

Related posts