https://github.com/Neo23x0/auditd
The idea of this auditd configuration is to provide a basic configuration that
- works out-of-the-box on all major Linux distributions
- fits most use cases
- produces a reasonable amount of log data
- covers security relevant activity
- is easy to read (different sections, many comments)
Hunting for Persistence in Linux (Part 1): Auditd, Sysmon, Osquery (and Webshells)