From f4dc8aa2c8a57122bf37a5b365799dc151745bdc Mon Sep 17 00:00:00 2001
From: Mikel Olasagasti Uranga <mikel@olasagasti.info>
Date: Thu, 7 May 2026 21:54:00 +0200
Subject: [PATCH] Add auditd rules

---
 README.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/README.md b/README.md
index 14814d7..5cdecf0 100644
--- a/README.md
+++ b/README.md
@@ -41,6 +41,16 @@ path.
 *MSG_SPLICE_PAGES UDP support was added in 6.5, so 5.15 is below the
 bug's reach.
 
+## Auditd rule
+
+~~~
+sudo tee /etc/audit/rules.d/xfrm_netlink.rules >/dev/null <<'EOF'
+-a always,exit -F arch=b64 -S socket -F a0=16 -F a2=6 -k xfrm_netlink_socket
+-a always,exit -F arch=b32 -S socket -F a0=16 -F a2=6 -k xfrm_netlink_socket
+EOF
+sudo augenrules --load
+~~~
+
 ## Credits
 
 Hyunwoo Kim (imv4bel) and Kuan-Ting Chen reported, tested,