auditd rules for a small server: the 12 rules that catch real intrusions without drowning you in noise
The first time I enabled auditd with the default rules on a small VPS, /var/log/audit/audit.log grew to 2 GB in eight hours and I watched the disk fill in real time. The default ruleset is built for compliance audits — …