add auditd docs

services/nftables/audit-framework/audit.md

@@ -0,0 +1,13 @@
+# Audit Framework
+
+## Kernel
+
+To ensure that all process which may have started before `auditd` are marked as auditable use boot time kernel param `audit=1`.
+
+## Userspace
+
+* Install the `audit` package, enable and start the `auditd.service`.
+* The config file is `auditd.conf`.
+* The rules are defined in `/etc/audit/audit.rules`.
+* `auditctl` can be used to edit rules on the fly.
+* `ausearch` and `aureport` are used to summarize and view data.