Linux Auditd Essentials for Privilege Escalation Detection

Auditd provides reliable, tamper-resistant logging for sensitive system activity. A focused ruleset can highlight privilege escalation attempts without flooding your logs.

This post covers a minimal ruleset and basic queries to validate it.

Install and enable auditd

On Debian or Ubuntu:

sudo apt update
sudo apt install -y auditd audispd-plugins
sudo systemctl enable --now auditd

Minimal ruleset for privilege escalation

Create a rules file to monitor identity changes, sudo configuration, and privileged command execution.

# /etc/audit/rules.d/priv-esc.rules
-w /etc/sudoers -p wa -k sudoers
-w /etc/sudoers.d/ -p wa -k sudoers
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/ssh/sshd_config -p wa -k sshd

-a always,exit -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=4294967295 -k priv_cmd
-a always,exit -F arch=b32 -S execve -F euid=0 -F auid>=1000 -F auid!=4294967295 -k priv_cmd

These exec rules capture commands run as root by real users, which is a common pattern in privilege escalation.

Load the rules:

sudo augenrules --load
sudo systemctl restart auditd

Validate with searches

Use ausearch to confirm events are flowing.

sudo ausearch -k sudoers -ts today
sudo ausearch -k priv_cmd -ts today

For a summary, use aureport.

sudo aureport -k --summary

Reduce noise

If logs are too chatty, tighten the rules:

• Add -F uid>=1000 to focus on human users.
• Watch specific binaries instead of all execve calls.
• Exclude known maintenance jobs with -F exe!=....

Takeaways

Auditd gives you high-confidence telemetry for critical system changes. A small ruleset focused on identity changes and privileged execution provides strong coverage without overwhelming storage.