auditd

Start audit daemon

$ sudo auditd

$ sudo auditd -s stop

$ sudo auditd -s rotate

$ sudo auditd -f

auditd [-f] [-l] [-n] [-s action]

auditd is the Linux Audit daemon that collects audit events from the kernel and writes them to disk. It's part of the Linux Audit framework for tracking security-relevant events.
The daemon logs file accesses, system calls, authentication events, and other activities based on configured rules.

-f

Run in foreground (don't daemonize)

Allow only one copy running

Don't fork (for systemd compatibility)

Send signal to daemon (stop, term, cont, rotate, resume)

/etc/audit/auditd.conf

Main daemon configuration controlling log file location, retention, disk space handling, and dispatcher settings.

Directory containing audit rule files loaded at startup. Rules define which system calls and file accesses to monitor.

Requires root privileges. Heavy auditing can impact performance. Log files grow quickly with verbose rules. Should be managed through systemd on modern systems.

auditd was developed as part of the Linux Audit project to meet Common Criteria security requirements, becoming part of the mainline kernel in 2.6.6 (2004).

auditctl(8), ausearch(8), aureport(8)