Question 1

How to install the neo23x0 auditd configuration on Ubuntu?

Accepted Answer

Download the configuration file from the GitHub repo, place it in /etc/audit/audit.rules or the auditd rules directory, and restart the auditd service. Ensure you back up any existing rules first to avoid conflicts.

Question 2

Is this auditd config compatible with CentOS 8?

Accepted Answer

Yes, the README states it works out-of-the-box on all major Linux distributions, including CentOS variants, but verify auditd version compatibility as some rules might need adjustments for newer kernels.

Question 3

What are the performance impacts of using this auditd config?

Accepted Answer

It's optimized to reduce log volume, but auditd can still consume CPU and disk I/O; monitor your system and tune rules if needed, especially on high-traffic servers.

Question 4

How to extend neo23x0 auditd rules for PCI DSS compliance?

Accepted Answer

Refer to the linked rules in the README from the audit-userspace repository, integrate them into the configuration, and test thoroughly to ensure all compliance requirements are met without conflicts.

Question 5

Auditd vs osquery for Linux security monitoring – which is better?

Accepted Answer

Auditd with this config offers kernel-level, continuous logging for deep system visibility, while osquery is more flexible for ad-hoc queries. This config makes auditd manageable, but osquery might suit dynamic environments better.

Question 6

Can I use this auditd config in Docker containers?

Accepted Answer

It's designed for full Linux systems; containers often use lighter auditing or omit auditd due to resource constraints, so this config may be overkill and require significant adaptation.

Linux auditd Detection Ruleset

What is Linux auditd Detection Ruleset?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions