Ausearch
Linux Audit Framework 101 – Basic Rules for Configuration
The Linux audit framework is a very powerful tool to monitor files, directories, and system calls. Learn how to configure it.
Summary
Starting with Linux auditing can be overwhelming. Fortunately, there is a great feature in the Linux kernel to watch events and log them for us. To give you a quick start to use the Linux Audit Framework, we have collected some basic rules for configuring the audit daemon and its rules.
Main Configuration
By default the configuration values in /etc/audit/audit.conf are suitable for most systems. If you know your system is very low or very high (e.g. mainframe) on resources, then you might want to adjust some file sizes or buffers.