Ausearch
Linux Audit Framework 101 – Basic Rules for Configuration
The Linux audit framework is a very powerful tool to monitor files, directories, and system calls. Learn how to configure it.
Summary
Starting with Linux auditing can be overwhelming. Fortunately, there is a great feature in the Linux kernel to watch events and log them for us. To give you a quick start to use the Linux Audit Framework, we have collected some basic rules for configuring the audit daemon and its rules. Main Configuration By default the configuration values in /etc/audit/audit.conf are suitable for most systems. If you know your system is very low or very high (e.