CoursesLinux hardeningAudit & compliance

auditd rules that matter

Identity files, privileged execs, module loads.

Advanced14 min · lesson 14 of 16

Hardening reduces what can happen; auditing records what did. auditd is the Linux kernel audit daemon — it captures a tamper-resistant log of security-relevant events (who ran what, who touched which sensitive file, who changed identity) at a level below the applications, so it sees things even a compromised service cannot hide from. The art is writing rules that capture the events that matter for detection and forensics without drowning the system in noise.

/etc/audit/rules.d/hardening.rules
# watch the identity files — any write is worth knowing about
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k identity
-w /etc/sudoers.d/ -p wa -k identity
# record every use of privilege escalation
-w /usr/bin/sudo -p x -k priv-esc
# record kernel module loads (rootkit indicator)
-a always,exit -F arch=b64 -S init_module -S finit_module -k modules

Reading an audit rule

The two rule shapes cover most needs. A watch (-w path -p perms -k key) monitors a file for read (r), write (w), execute (x), or attribute-change (a) access — so -w /etc/shadow -p wa flags any write or permission change to the shadow file. A syscall rule (-a always,exit -S <syscall>) records specific system calls, like module loading or use of a dangerous call. The -k key tags each rule so you can search its events later. Start from the CIS audit ruleset rather than a blank file — it encodes the events worth watching.

terminal
$ sudo augenrules --load # compile rules.d/*.rules and load them
$ sudo auditctl -l # list active rules
# investigate by the key you tagged:
$ sudo ausearch -k identity -ts today
$ sudo aureport --auth # a summary report of authentication events

Protect the audit trail itself

An audit log is only trustworthy if an attacker cannot quietly erase it, so two settings matter. Make the rules immutable (-e 2) so they cannot be changed until reboot — an intruder cannot silently disable auditing. And ship audit events off the host to a central collector (the detection course covers the pipeline), because local logs on a compromised machine are exactly what gets tampered with. Auditing you can trust is auditing the attacker cannot reach.

Audit everything and you audit nothing
It is tempting to log every syscall, but an over-broad audit ruleset floods the disk, hurts performance, and buries the one event that mattered under millions that did not. Watch the high-signal targets — identity files, privilege escalation, module loads, key binaries — tune out the known noise, and ship the rest off-box. A focused ruleset you actually review beats an exhaustive one nobody can read, the same lesson as the Kubernetes audit policy.