Linux audit allows you to comprehensively log and track any access to files, directories, or resources of your system and trace system calls. It enables you to monitor your system for application misbehavior or code malfunctions. By creating a sophisticated set of rules including file watches and system call auditing, you can make sure that any violation of your security policies is noticed and properly addressed.
To set up Linux audit on your system, proceed as follows:
Stop the audit daemon that is running by default with the rcauditd stop command.
Adjust the system configuration for audit and enable audit.
Configure the audit daemon.
Determine which system components to audit and set up audit rules.
Start the audit daemon after you have completed the configuration of the audit system using the rcauditd start command.
Determine which reports to run and configure these reports.
Analyze the audit logs and reports.
(Optional) Analyze individual system calls with autrace.
IMPORTANT: Users Entitled to Work with Audit
The audit tools, configuration files, and logs are only available to root. This protects audit from ordinary users of the system. To manipulate any aspect of audit, you must be logged in as root.