At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd
daemon is
configured to use the augenrules
program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules
in the directory /etc/audit/rules.d
:
-w /sbin/rmmod -p x -k modules