Home Security & Privacy Linux Audit Rules

Linux Audit Rules Cheat Sheet

Track critical files

Last Updated: November 21, 2025

Focus Areas

Focus
Define watch rules
Monitor `ausearch` output

Commands & Queries

auditctl -w /etc/passwd -p wa -k passwd_changes
Watch password file
ausearch -k passwd_changes
Review events
auditctl -l
List rules

Summary

Audit rules reveal who touched critical resources.

Related Cheat Sheets

Vault Secrets Engines

Enable engines, generate dynamic credentials, and renew leases

Incident Response

Declare incidents, contain, communicate, and learn

Node.js Security

Audit dependencies, configure CSP, and lock env variables

Passwordless Authentication

Deploy magic links, WebAuthn passkeys, and OTP flows

💡 Pro Tip: Store audit logs centrally and rotate them.

Related Cheat Sheets

Browse all Security & Privacy →

← Back to Security & Privacy | Browse all categories | View all cheat sheets