BlogLinux & scripting
Auditd rules that matter for compliance
Watch the files and syscalls auditors actually ask about, tune rules by key, and keep signal high without drowning auditd in noise nobody reads.
auditd can record every syscall on a host — which is exactly why a default install is useless: it drowns you. A good ruleset watches the specific files and actions auditors and responders actually ask about, keyed so you can find them later.
Rules that earn their place
/etc/audit/rules.d/hardening.rules
# identity changes-w /etc/passwd -p wa -k identity-w /etc/shadow -p wa -k identity-w /etc/sudoers -p wa -k priv# every use of sudo/su-w /usr/bin/sudo -p x -k priv-esc# unexpected execution from tmp-a always,exit -F arch=b64 -F dir=/tmp -F perm=x -k exec-tmp# make the config immutable until reboot-e 2
Noise (avoid)
audit all of /var
every open() syscall
unkeyed rules
no rotation
Signal (keep)
identity + sudoers
privilege escalation
exec from /tmp
keyed for search
Find events by key
ausearch -k identity -itype=SYSCALL ... uid=1001 comm="vim" name="/etc/passwd"keyed rules make retrieval one command-e 2 locks the ruleset
Immutable mode means an attacker who lands on the box cannot quietly disable auditing — but you must reboot to change rules, so land them first.