auditd overview

auditd is Linux’s built-in auditing system. You write rules with auditctl and it logs kernel-level events (syscalls, file access, process execution, etc.). It is the go-to for getting visibility into what is actually happening on a Linux box.