auditd

auditd is a background service that captures detailed audit events from the kernel and writes them to log files. It monitors system calls, file access, authentication attempts, and other security-critical activities, creating a comprehensive audit trail for forensic analysis and compliance reporting.

The audit framework works through kernel hooks that intercept system calls and file operations matching rules you define. For example, you can audit all changes to /etc/passwd or track which users access sensitive files, producing timestamped logs with user IDs, return codes, and arguments.

Common use cases include security monitoring, meeting regulatory requirements (SOC 2, HIPAA), detecting unauthorized access, and post-incident investigations. Configure rules in /etc/audit/rules.d/ and view logs with ausearch and aureport utilities.