Auditd
auditd collects kernel-level audit events and security-relevant system activity.
It matters because normal logs are not enough when the question becomes who changed what, with which privileges, and in what sequence. Audit trails are not merely verbose logging. They are structured accountability data.
Why it matters
- Creates tamper-resistant trails for critical operations.
- Supports investigations by linking who did what and when.
- Helps satisfy compliance and governance controls.
Where it fits
Auditd fits environments where privilege use, configuration changes, identity-sensitive operations, and incident reconstruction need stronger evidence than application or service logs alone can provide.
Operational notes
- Define focused audit rules for high-value events.
- Ship and retain audit logs centrally.
- Pair audit data with SIEM or EDR correlation.
Design cautions
- Audit coverage should be deliberate. Collecting everything can overwhelm storage and analysis without improving clarity.
- The most useful audit rules are tied to real investigative questions.
- Auditd is strongest when its data is reviewable, centralized, and connected to incident-response practice.