Many Linux administrators are required to deploy Auditd in order to meet government or industry security compliance requirements. In this talk we will dive into common Linux Audit configurations and determine their value when responding to successful attacks. Finally by examining real world attacks, we can create Auditd rules that can alert us following the successful exploitation of a service.