audit daemon (auditd) is an open source, free and non-interactive daemon, a command-line program that provides the necessary user-space tools for creating audit rules on Linux kernel-based operating systems.
Works as a limited standalone auditing framework
The software can also be used for searching and storing the audit records that were generated by the audit subsystem in Linux kernel 2.6 or later. It works as a limited standalone auditing framework on your GNU/Linux distribution.
The Linux Auditing Framework
Also known as the Linux Auditing Framework, the audit daemon project was initially created to provide system call auditing without stepping on the existing functionality provided by projects like SELinux.
How the program works
The program can open and close audit log files that are find in the folders specified in the audit_control file. It will take all the files in the order they are specified in that file and reads only audit data from the kernel. Then, it writes that data to an audit log file.
Additionally, it executes a script called audit_warn when the respective audit folders fill past the specified limits written in the audit_control file. audit daemon will then send warnings to the console and to the audit_warn mail alias.
Installing the audit daemon
To install the audit daemon on your GNU/Linux operating system using the source package, you will have to first download it from its official website (see the homepage link at the end of the article), save the archive on your Home directory, and unpack it using an archive manager tool.
In a terminal emulator, navigate to the location of the extracted archive files using the ‘cd’ command (e.g. cd /home/softpedia/audit-2.4.1), run the ‘./configure && make’ command to configure and compile the program, then run the ‘sudo make install’ command to install it system wide.