Before starting audit, create a dedicated filesystem for /var/log/audit (minimum 1GB)

Configure grub2 so that processes that are capable of being audited can be audited even if they start up prior to auditd startup

Check if audit is OK at boot

[root@linux01 ~]# grubby --info=ALL | grep -Po '\baudit=1\b'
audit=1

Else

[root@linux01 ~]# grubby --update-kernel ALL --args 'audit=1'

During boot if audit=1, then the backlog will hold 64 records. If more that 64 records are created during boot, auditd records will be lost and potential malicious activity could go undetected. Recommended that this value be 8192 or larger.

[root@linux01 ~]# grubby --info=ALL | grep -Po "\baudit_backlog_limit=\d+\b"
audit_backlog_limit=<BACKLOG SIZE>

[root@linux01 ~]# grubby --update-kernel ALL --args 'audit_backlog_limit=8192'

Activate auditd service

[root@linux01 ~]# systemctl --now enable audit

Cehck log size and rotation

[root@linux01 ~]# cat  /etc/audit/auditd.conf
max_log_file = 8
num_logs = 5
...

List rules

[root@linux01 ~]# auditctl -l
No rules

List parameters

[root@linux01 ~]# auditctl -s
enabled 1
failure 1
pid 1002
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 60000
backlog_wait_time_actual 0
loginuid_immutable 0 unlocked