diff --git a/NEWS b/NEWS
index e7e08b778ab885826c2fc404b75be2f5a1549169..90c513a22e97bcdee28b52d388e81a264048efc9 100644
--- a/NEWS
+++ b/NEWS
@@ -1,7 +1,10 @@
-Unreleased
+release/001.012 (2015-09-23)
 
     Filter "Audit daemon rotating log files" log entry (akkornel)
 
+    Add default audit.rules for 32-bit systems and push out
+    accordingly (jlent)
+
 release/001.011 (2015-09-09)
 
     Removing MORE duplicate entries from audit.rules (/etc/ssh,
diff --git a/files/etc/audit/audit.rules.i386 b/files/etc/audit/audit.rules.i386
new file mode 100644
index 0000000000000000000000000000000000000000..958314ba379c4eaf9be15dfd4505ee0d6dee1b40
--- /dev/null
+++ b/files/etc/audit/audit.rules.i386
@@ -0,0 +1,40 @@
+# auditctl rules that are loaded whenever the audit daemon is
+# started via the initscripts.
+
+# First rule - delete all
+-D
+
+# Increase the buffers to survive stress events.
+# Make this bigger for busy systems
+-b 32767
+
+# The following rules create log entries to be written whenever the
+# rmdir, unlink, execve system calls exit. This will record file
+# deletion and command line executions.
+-a exit,always -F arch=b32 -S execve -k EXEC
+# Uncomment if you want BIND and CONNECT events to be logged
+#-a exit,always -F arch=b32 -S bind       -k BIND       -F exit!=-2
+#-a exit,always -F arch=b32 -S connect    -k CONNECT    -F exit!=-2
+-a exit,always -F arch=b32 -S socketcall -k SOCKETCALL -F exit!=-2
+-a exit,always -F arch=b32 -S link -S unlink -k FILEWRITE
+-a exit,always -F arch=b32 -S mkdir -S rmdir -k FILEWRITE
+
+# The following rules create log entries when the critical system
+# files are created or deleted.
+-w /bin -p wa -k binfiles
+-w /etc/audisp -p wa -k sysfiles
+-w /etc/audit -p wa -k sysfiles
+-w /etc/krb5.conf -p wa -k sysfiles
+-w /etc/krb5.keytab -p wa -k sysfiles
+-w /etc/pam.d -p wa -k sysfiles
+-w /etc/passwd -p wa -k sysfiles
+-w /etc/remctl/acl -p wa -k sysfiles
+-w /etc/shadow -p wa -k sysfiles
+-w /etc/ssh -p wa -k sysfiles
+-w /sbin -p wa -k binfiles
+-w /usr/bin -p wa -k binfiles
+-w /usr/sbin -p wa -k binfiles
+
+# Disable adding any additional rules - note that adding *new* rules
+# will require a reboot
+-e 2
diff --git a/files/etc/audit/audit.rules b/files/etc/audit/audit.rules.x86_64
similarity index 100%
rename from files/etc/audit/audit.rules
rename to files/etc/audit/audit.rules.x86_64
diff --git a/manifests/auditd.pp b/manifests/auditd.pp
index 5d832eabe8b31a3895424c172cce9931dd4ecdd6..cb9ad97d59eaddf61d99cddf93874343879e60fe 100644
--- a/manifests/auditd.pp
+++ b/manifests/auditd.pp
@@ -45,7 +45,12 @@ define audit::auditd (
       # What to audit
       if $content == 'NONE' {
         if $source == 'NONE' {
-          $src_rules = "$afile/etc/audit/audit.rules"
+          # Rules implying 64-bit addressing cause errors on 32-bit systems
+          if ($::architecture == 'x86_64' or $::architecture == 'amd64') {
+            $src_rules = "$afile/etc/audit/audit.rules.x86_64"
+          } else {
+            $src_rules = "$afile/etc/audit/audit.rules.i386"
+          }
         } else {
           $src_rules = $source
         }