Для аудита всех компонентов ОС необходимо настроить auditd со следующими параметрами:
# Информационные сообщения
-w /var/log/messages -p w
-w /var/log/secure -p w
-w /var/log/maillog -p w
-w /var/log/spooler -p w
-w /var/log/boot.log -p w
# Аудит системных вызовов
-a exit,always -F arch=b64 -S acct
-a exit,always -F arch=b64 -S adjtimex
-a exit,always -F arch=b64 -S clock_adjtime
-a exit,always -F arch=b64 -S delete_module
-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b64 -S init_module
-a exit,always -F arch=b64 -S io_cancel
-a exit,always -F arch=b64 -S io_destroy
-a exit,always -F arch=b64 -S io_getevents
-a exit,always -F arch=b64 -S io_setup
-a exit,always -F arch=b64 -S io_submit
-a exit,always -F arch=b64 -S ioperm
-a exit,always -F arch=b64 -S iopl
-a exit,always -F arch=b64 -S kcmp
-a exit,always -F arch=b64 -S keyctl
-a exit,always -F arch=b64 -S kill
-a exit,always -F arch=b64 -S mbind
-a exit,always -F arch=b64 -S mprotect
-a exit,always -F arch=b64 -S name_to_handle_at
-a exit,always -F arch=b64 -S open_by_handle_at
-a exit,always -F arch=b64 -S perf_event_open
-a exit,always -F arch=b64 -S quotactl
-a exit,always -F arch=b64 -S read
-a exit,always -F arch=b64 -S reboot
-a exit,always -F arch=b64 -S remap_file_pages
-a exit,always -F arch=b64 -S set_mempolicy
-a exit,always -F arch=b64 -S set_robust_list
-a exit,always -F arch=b64 -S set_thread_area
-a exit,always -F arch=b64 -S set_tid_address
-a exit,always -F arch=b64 -S setdomainname
-a exit,always -F arch=b64 -S sethostname
-a exit,always -F arch=b64 -S setns
-a exit,always -F arch=b64 -S setsockopt
-a exit,always -F arch=b64 -S shutdown
-a exit,always -F arch=b64 -S socket
-a exit,always -F arch=b64 -S socketpair
-a exit,always -F arch=b64 -S splice
-a exit,always -F arch=b64 -S swapoff
-a exit,always -F arch=b64 -S swapon
-a exit,always -F arch=b64 -S unlink
-a exit,always -F arch=b64 -S umount2
-a exit,always -F arch=b64 -S uname
-a exit,always -F arch=b64 -S unlinkat
-a exit,alw
