← All posts October 21, 2025 · 3 min read

Harden Your RHEL Servers auditd Rules: A Practical Guide for SREs and Security Engineers

linuxrhelsecurityauditdhardening

When it comes to securing Linux servers, auditd is a powerful but often overlooked tool. In this post, I’ll show you how to set up a solid baseline of auditd rules for RHEL 8 using the CIS Level 1 Benchmark. This setup helps you track key system changes, detect unusual activity, and stay compliant with security standards.

1. What is CIS Level 1

The Center for Internet Security (CIS) publishes security benchmarks that help organizations harden their systems. These benchmarks define different levels of hardening , Level 1 and Level 2.

Level 1, is focused on basic security hygiene. It’s meant to protect systems without breaking normal functionality.
Level 2, on the other hand, is stricter. It’s designed for environments where security is a top priority, like production servers or systems that handle sensitive data.

In this post, I’m using the CIS Level 1 benchmark as the baseline since it offers solid protection and visibility into system activity without causing much performance impact. Be cautious if you plan to use Level 2 audit rules, they can affect performance, especially on systems with heavy I/O workloads.

2. AuditD Baseline Rule Set

The following baseline is aligned with CIS Level 1 benchmark requirements. Add below rules to /etc/audit/rules.d/cis_level1.rules file (create a new file if not exists).

2.1 Time and Date Changes (CIS 4.1.4)

1
-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change
2
-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -k time-change
3
-w /etc/localtime -p wa -k time-change

2.2 User/Group Information Changes (CIS 4.1.5)

1
-w /etc/group -p wa -k identity
2
-w /etc/passwd -p wa -k identity
3
-w /etc/gshadow -p wa -k identity
4
-w /etc/shadow -p wa -k identity
5
-w /etc/security/opasswd -p wa -k identity

2.3 Network Environment (CIS 4.1.6)

1
-w /etc/issue -p wa -k system-locale
2
-w /etc/issue.net -p wa -k system-locale
3
-w /etc/hosts -p wa -k system-locale
4
-w /etc/sysconfig/network -p wa -k system-locale

2.4 Mandatory Access Control (CIS 4.1.7)

1
-w /etc/selinux/ -p wa -k MAC-policy

1
-w /var/log/lastlog -p wa -k logins
2
-w /var/run/faillock/ -p wa -k logins
3
-w /var/run/utmp -p wa -k session
4
-w /var/log/wtmp -p wa -k session
5
-w /var/log/btmp -p wa -k session

2.6 Discretionary Access Control Modifications (CIS 4.1.10)

1
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod
2
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod

2.7 File Deletion Events (CIS 4.1.11)

1
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete
2
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete

2.8 Audit Configuration Changes (CIS 4.1.14)

1
-w /etc/audit/ -p wa -k auditconfig
2
-w /etc/libaudit.conf -p wa -k auditconfig
3
-w /etc/audisp/ -p wa -k auditconfig

2.9 Kernel Module Loading/Unloading (CIS 4.1.15)

1
-w /sbin/insmod -p x -k modules
2
-w /sbin/rmmod -p x -k modules
3
-w /sbin/modprobe -p x -k modules
4
-a always,exit -F arch=b64 -S init_module,finit_module,delete_module -k modules

2.10 Immutable Configuration (CIS 4.1.17)

1
-e 2

Once the .rules file is created, run below commands to load the rules.

1
augenrules --load
2
systemctl restart auditd
3
auditctl -l

Cheers!