auditd rules that matter
Identity files, privileged execs, module loads.
Hardening reduces what can happen; auditing records what did. auditd is the Linux kernel audit daemon — it captures a tamper-resistant log of security-relevant events (who ran what, who touched which sensitive file, who changed identity) at a level below the applications, so it sees things even a compromised service cannot hide from. The art is writing rules that capture the events that matter for detection and forensics without drowning the system in noise.
# watch the identity files — any write is worth knowing about-w /etc/passwd -p wa -k identity-w /etc/shadow -p wa -k identity-w /etc/sudoers -p wa -k identity-w /etc/sudoers.d/ -p wa -k identity# record every use of privilege escalation-w /usr/bin/sudo -p x -k priv-esc# record kernel module loads (rootkit indicator)-a always,exit -F arch=b64 -S init_module -S finit_module -k modules
Reading an audit rule
The two rule shapes cover most needs. A watch (-w path -p perms -k key) monitors a file for read (r), write (w), execute (x), or attribute-change (a) access — so -w /etc/shadow -p wa flags any write or permission change to the shadow file. A syscall rule (-a always,exit -S <syscall>) records specific system calls, like module loading or use of a dangerous call. The -k key tags each rule so you can search its events later. Start from the CIS audit ruleset rather than a blank file — it encodes the events worth watching.
$ sudo augenrules --load # compile rules.d/*.rules and load them$ sudo auditctl -l # list active rules# investigate by the key you tagged:$ sudo ausearch -k identity -ts today$ sudo aureport --auth # a summary report of authentication events
Protect the audit trail itself
An audit log is only trustworthy if an attacker cannot quietly erase it, so two settings matter. Make the rules immutable (-e 2) so they cannot be changed until reboot — an intruder cannot silently disable auditing. And ship audit events off the host to a central collector (the detection course covers the pipeline), because local logs on a compromised machine are exactly what gets tampered with. Auditing you can trust is auditing the attacker cannot reach.