Kernel-level audit logging with CIS Benchmark 4.1.x rules and SIEM-ready output.
- ✅ CIS Benchmark Aligned - 20+ rules from CIS Ubuntu Linux Benchmark 4.1.x
- ✅ Three Rule Profiles - Base (Level 1), Aggressive (Level 2), Docker-aware
- ✅ Immutable Rules - Prevents tampering (requires reboot to change)
- ✅ Prometheus Metrics - Export audit statistics for monitoring
- ✅ SIEM-Ready - Standard format for log aggregation (rsyslog, Filebeat)
- ✅ Production Scripts - Deploy, validate, and monitor audit rules
# 1. Install auditd
sudo apt install auditd audispd-plugins
# 2. Deploy CIS-aligned rules (choose one)
sudo cp audit-base.rules.template /etc/audit/rules.d/99-cis-base.rules
# 3. Load rules
sudo augenrules --load
sudo systemctl restart auditdFull guide: See docs/SETUP.md
| Document | Description |
|---|---|
| SETUP.md | Installation, rule deployment, and SIEM integration |
| CIS_CONTROLS.md | CIS Benchmark 4.1.x mapping and rule explanations |
| TROUBLESHOOTING.md | Common issues (log rotation, performance impact) |
- Ubuntu 22.04+ / Debian 11+
- auditd v3.0+
- Root/sudo access
- Optional: Prometheus + node_exporter (for metrics)
| Profile | Level | Rules | Use Case |
|---|---|---|---|
| Base | CIS Level 1 | ~50 rules | Production servers (balanced) |
| Aggressive | CIS Level 2 / STIG | ~80 rules | High-security environments |
| Docker-aware | Custom | ~60 rules | Container hosts (excludes Docker paths) |
- ✅ Production Servers - Real-time "who did what when" forensics
- ✅ Compliance - Meet CIS Benchmark and STIG requirements
- ✅ Incident Response - Kernel-level event logging for investigations
- ✅ SIEM Integration - Feed logs to Splunk, ELK, or other SIEMs
- ✅ Container Hosts - Monitor Docker configuration changes
- ← Back to Repository Root
- aide - File integrity monitoring
- rkhunter - Rootkit detection
- lynis - Security auditing and compliance