Unix - Auditing in UNIX/Linux (auditd)

1. What Is Auditing?

Auditing is the process of recording and tracking system events to:

• Monitor user activity

• Detect security violations

• Support forensic analysis

• Ensure compliance and accountability

Auditing answers:

Who did what, when, and from where?

2. What Is auditd?

auditd (Audit Daemon) is the Linux kernel auditing system.

It:

• Monitors system calls

• Tracks file access

• Records user actions

• Logs security-related events