Ubuntu - Auditing - List auditd rules

The first time that auditd is installed there will be no rules available yet.

Check what audit rules are set:

sudo auditctl -l

Result:

If no rules were set:

No rules

otherwise, something like this:

-a always,exit -F arch=b64 -S mknod,mknodat -F key=specialfiles
-a always,exit -F arch=b64 -S mount,umount2 -F key=mount
-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -F key=time
-w /etc/cron.allow -p wa -k cron
-w /etc/cron.deny -p wa -k cron
-w /etc/cron.d/ -p wa -k cron
-w /etc/cron.daily/ -p wa -k cron
-w /etc/cron.hourly/ -p wa -k cron
-w /etc/cron.monthly/ -p wa -k cron
-w /etc/cron.weekly/ -p wa -k cron
-w /etc/crontab -p wa -k cron
-w /var/spool/cron/crontabs/ -p rwxa -k cron
-w /etc/group -p wa -k etcgroup
-w /etc/passwd -p wa -k etcpasswd
-w /etc/gshadow -p rwxa -k etcgroup
-w /etc/shadow -p rwxa -k etcpasswd
-w /etc/security/opasswd -p rwxa -k opasswd
-w /usr/bin/passwd -p x -k passwd_modification
-w /usr/sbin/groupadd -p x -k group_modification
-w /usr/sbin/groupmod -p x -k group_modification
-w /usr/sbin/addgroup -p x -k group_modification
-w /usr/sbin/useradd -p x -k user_modification
-w /usr/sbin/usermod -p x -k user_modification
-w /usr/sbin/adduser -p x -k user_modification
-w /etc/login.defs -p wa -k login
-w /etc/securetty -p wa -k login
-w /var/log/faillog -p wa -k login
-w /var/log/lastlog -p wa -k login
-w /var/log/tallylog -p wa -k login
-w /etc/hosts -p wa -k hosts
-w /etc/network/ -p wa -k network
-w /etc/inittab -p wa -k init
-w /etc/init.d/ -p wa -k init
-w /etc/init/ -p wa -k init
-w /etc/ld.so.conf -p wa -k libpath
-w /etc/localtime -p wa -k localtime
-w /etc/sysctl.conf -p wa -k sysctl
-w /etc/modprobe.conf -p wa -k modprobe
-w /etc/pam.d/ -p wa -k pam
-w /etc/security/limits.conf -p wa -k pam
-w /etc/security/pam_env.conf -p wa -k pam
-w /etc/security/namespace.conf -p wa -k pam
-w /etc/security/namespace.init -p wa -k pam
-w /etc/aliases -p wa -k mail
-w /etc/postfix -p wa -k mail
-w /etc/ssh/sshd_config -p rwxa -k sshd
-a always,exit -F arch=b64 -S sethostname -F key=hostname
-w /etc/issue -p wa -k etcissue
-w /etc/issue.net -p wa -k etcissue
-a always,exit -F arch=b64 -S execve -F euid=0 -F key=rootcmd
-a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -F key=unauthedfileacess
-a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -F key=unauthedfileacess
-a always,exit -F arch=b64 -S open -F dir=/sbin -F success=0 -F key=unauthedfileacess
-a always,exit -F arch=b64 -S open -F dir=/usr/bin -F success=0 -F key=unauthedfileacess
-a always,exit -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -F key=unauthedfileacess
-a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -F key=unauthedfileacess
-a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -F key=unauthedfileacess
-a always,exit -F arch=b64 -S open -F dir=/srv -F success=0 -F key=unauthedfileacess
-w /bin/su -p x -k priv_esc
-w /usr/bin/sudo -p x -k priv_esc
-w /etc/sudoers -p rw -k priv_esc
-w /sbin/shutdown -p x -k power
-w /sbin/poweroff -p x -k power
-w /sbin/reboot -p x -k power
-w /sbin/halt -p x -k power