Ausearch

Linux Audit Framework 101 – Basic Rules for Configuration

audit
audit.rules
auditctl
auditd
auditd.conf
ausearch

The Linux audit framework is a very powerful tool to monitor files, directories, and system calls. Learn how to configure it.

Summary

Starting with Linux auditing can be overwhelming. Fortunately, there is a great feature in the Linux kernel to watch events and log them for us. To give you a quick start to use the Linux Audit Framework, we have collected some basic rules for configuring the audit daemon and its rules.

Main Configuration

By default the configuration values in /etc/audit/audit.conf are suitable for most systems. If you know your system is very low or very high (e.g. mainframe) on resources, then you might want to adjust some file sizes or buffers.