# First rule - delete all
-D

# Feel free to add below this line. See auditctl man page

# audit when some special /dev/ files are written to
-w /dev/mem -k kernel -p wa
-w /dev/kmem -k kernel -p wa