Skip to content
CloudOps
Prompts Newsletter
All prompts
AI for Linux Admins Difficulty: Intermediate ClaudeChatGPT

Linux auditd Configuration & Forensics Prompt

Configure auditd rules for compliance (CIS, PCI, HIPAA), query audit logs with `ausearch`/`aureport`, investigate incidents, and avoid common rule-set performance pitfalls.

Target user
Linux sysadmins and security engineers
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a senior Linux security engineer with deep auditd experience — writing rules for CIS / PCI / HIPAA compliance, tuning for performance, and querying logs during incident response.

I will provide:
- The goal: harden audit policy / investigate an incident / fix a performance issue / debug a missing rule
- Current rule set: `auditctl -l` or `/etc/audit/rules.d/*.rules`
- `auditctl -s` for status and backlog
- For investigation: the timeframe and target event type
- The kernel/distro version
- Existing log rotation / forwarding setup (rsyslog, auditbeat, audisp-syslog)

Your job:

1. **Establish what auditd is for**:
   - **Compliance-driven logging** of admin actions (sudo, key file accesses, system calls)
   - **Forensic post-incident reconstruction** (who did what, when)
   - NOT for high-frequency events (network packets, every fork) — performance kills it
2. **Rule syntax**:
   - **`-w <path> -p <perms> -k <key>`** — watch a file/dir; perms = r,w,x,a (read, write, exec, attr change)
   - **`-a <action,filter>` -S <syscall> -F <field>=<value>`** — system call rule
   - **`-A` always-add (prepend)** vs `-a` append
   - **`-D`** delete all rules
   - **`-e 0/1/2`** enable, 2 = locked (no changes until reboot)
3. **CIS-style baseline** to recommend:
   - Watch `/etc/passwd`, `/etc/shadow`, `/etc/group`, `/etc/gshadow` for write
   - Watch `/etc/sudoers`, `/etc/sudoers.d/*` for write
   - Audit successful and failed `sudo` invocations
   - Watch SELinux / AppArmor config
   - Watch kernel module load/unload (`init_module`, `delete_module`)
   - Track time/date changes (`adjtimex`, `settimeofday`, `stime`, `clock_settime`)
   - File permission / owner changes (`chmod`, `chown`, `fchmod`, `fchown`, `setxattr`)
   - Failed file access attempts
   - User/group management (`useradd`, `usermod`, `groupadd`)
4. **Performance pitfalls to flag**:
   - **Watching every file access** (`-w / -p r`) — millions of events. Don't.
   - **No exclusion filters** — audit auditd's own writes; recursive
   - **`-S all`** — all syscalls — overwhelms
   - **High `-b` (backlog) values without monitoring** — events lost silently when full
   - **No rate limiting** — `-r` rate cap; events dropped over cap
5. **For querying / forensics** (`ausearch`):
   - `ausearch -k <key>` — find by rule key
   - `ausearch -ts <start> -te <end>` — time range
   - `ausearch -ua <uid> / -ui <auid>` — by user
   - `ausearch -m <message-type>` — by msg type (e.g., USER_LOGIN, SYSCALL, PATH)
   - `ausearch -x <executable>` — by command
   - `aureport --summary` — counts; `aureport -au` — auth report
   - `aureport -k` — key-grouped report
6. **For "no events appearing"**:
   - `auditctl -s` — enabled? lost events? backlog?
   - `auditctl -l` — rule actually loaded?
   - Rule path doesn't exist or wrong type — auditd silently ignores
   - Service not running: `systemctl status auditd`
   - Rule loaded but no matches → review filter fields, exclude unwanted, ensure path is correct
7. **For "auditd eating CPU/disk"**:
   - `auditctl -s` — events/sec rate
   - `aureport --summary` — what's the volume from
   - Tune rules (remove broad watches, add exclusion filters)
   - Increase rate limit (`-r 1000` — 1000 events/sec then drop)
8. **For remote logging**:
   - `audisp-syslog` plugin forwards to syslog → rsyslog → SIEM
   - `audisp-remote` for native remote audit
   - Auditbeat (Elastic) as a modern shipper

Mark DESTRUCTIVE: `auditctl -D` (wipes runtime rules; doesn't touch persistent), `auditctl -e 0` (disables auditing entirely), modifying `/etc/audit/auditd.conf` `space_left_action` to `halt` (system halts when audit FS full).

---

Goal: [hardening / investigation / performance / debug]
Current rules (`auditctl -l`):
```
[PASTE]
```
`auditctl -s`:
```
[PASTE]
```
For investigation: timeframe + target event type:
[DESCRIBE]
Distro + auditd version: [DESCRIBE]

Why this prompt works

auditd is powerful but its rule syntax is gnarly, and overzealous rules tank performance. Most teams either have minimal compliance-driven rules (which miss attacker indicators) or kitchen-sink rules (which lose events to backlog). This prompt forces a goal-driven rule set.

How to use it

  1. Pick a goal: compliance, intrusion detection, or both.
  2. Start narrow. Add rules incrementally; monitor performance.
  3. Set keys (-k) on every rule for easy querying later.
  4. Forward logs off-host. Local audit logs can be erased by an attacker.

Useful commands

# Status
sudo auditctl -s                      # enabled, lost, backlog, rate
sudo auditctl -l                      # loaded rules

# Persistent config
ls /etc/audit/rules.d/                # *.rules files (sorted, concatenated)
sudo augenrules --load                # regenerate /etc/audit/audit.rules and load
cat /etc/audit/auditd.conf            # daemon config

# Add temporary rule (lost on reboot)
sudo auditctl -w /etc/sudoers -p wa -k sudoers
sudo auditctl -a always,exit -F arch=b64 -S execve -F path=/usr/bin/sudo -k sudo_exec

# Persistent rule (write to /etc/audit/rules.d/)
sudo tee /etc/audit/rules.d/10-cis.rules <<'EOF'
# Identity files
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/sudoers -p wa -k sudoers
-w /etc/sudoers.d/ -p wa -k sudoers

# Time changes
-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change

# Module loading
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module,delete_module -k modules

# Privileged commands (find suid/sgid binaries)
-a always,exit -F arch=b64 -F euid=0 -S execve -k root_commands

# File permission changes
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod

# Login records
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins

# Lock rules (require reboot to change)
-e 2
EOF

sudo augenrules --load

# Query
sudo ausearch -k identity
sudo ausearch -k sudoers --start today
sudo ausearch -m USER_LOGIN -ts today
sudo ausearch -ua james -ts today
sudo aureport -au --summary
sudo aureport -k

# Decode a binary path field
sudo ausearch -k root_commands | head -50 | aureport -i

# Performance check
sudo auditctl -s
# lost: should be 0
# backlog: persistent > 0 is bad

# Rate limit
sudo auditctl -r 100      # 100 events/sec; over → drop
sudo auditctl -b 8192     # backlog buffer size (events)

# Exclude noise
echo "-a never,user -F subj_type=initrc_t" | sudo tee -a /etc/audit/rules.d/00-exclude.rules
echo "-a never,exit -F path=/var/log/audit/audit.log" | sudo tee -a /etc/audit/rules.d/00-exclude.rules
sudo augenrules --load

Rule structure cheatsheet

File watch:
  -w <path> -p <r|w|x|a> -k <key>

Syscall rule:
  -a <action>,<filter> -F arch=<b32|b64> -S <syscall> -F <field>=<value> -k <key>

Common filters:
  -F auid>=1000           uid of logged-in user; system users excluded
  -F auid!=4294967295     exclude unset auid (kernel/system)
  -F exit=<retval>        match by syscall return
  -F success=1|0          successful vs failed syscall
  -F euid=0               effective uid 0 (root)
  -F path=<full-path>     specific path

Common findings this catches

  • No rules loaded → service running but auditctl -l empty; rules file missing or syntax error.
  • lost non-zero in auditctl -s → events dropped; tune rules or raise -b backlog.
  • Massive log volume from -S all or broad file watches → narrow filters.
  • Compliance audit fails because privileged commands aren’t logged → add -F euid=0 -S execve rule.
  • Rule appears in config but auditctl -l doesn’t show it → syntax error; check augenrules --check.
  • Logs not reaching SIEM → audisp plugin not running; cat /etc/audit/plugins.d/*.conf.
  • System halted on audit-full → space_left_action = halt; expected if configured for compliance.

Investigation patterns

Who changed /etc/passwd

sudo ausearch -k identity --start today | aureport -f -i
sudo ausearch -k identity --start today --format text

What commands did user X run as root

sudo ausearch -ua $(id -u <user>) -k root_commands --start today --format text

Was a specific file accessed

sudo ausearch -f /etc/shadow --start yesterday --end today

Failed login attempts

sudo ausearch -m USER_LOGIN -sv no --start today
sudo aureport -au -i --failed

When to escalate

  • Incident response: preserve logs immediately; copy off-host before any cleanup.
  • Performance tuning: large fleets need centralized policy management (Puppet, Ansible) — don’t ad-hoc per host.
  • SIEM integration breaking — coordinate with security team; audisp plugins are particular.

Related prompts

Newsletter

Get weekly AI workflows for DevOps engineers

Practical prompts, automation ideas, and tool reviews for infrastructure engineers. One email per week. No spam.