# Audit Framework
## Kernel
To ensure that all process which may have started before `auditd` are marked as auditable use boot time kernel param `audit=1`.
## Userspace
* Install the `audit` package, enable and start the `auditd.service`.
* The config file is `auditd.conf`.
* The rules are defined in `/etc/audit/audit.rules`.
* `auditctl` can be used to edit rules on the fly.
* `ausearch` and `aureport` are used to summarize and view data.
## Rules
* Read from `/etc/audit/auditd.rules`
* If for example `/etc/audit/rules.d/syscalls.rules` is the sort of structure being followed,
`augenrules` is used to merge all the component rules files.
* It is recommended to run first with the `--check` flag and `--load` can be used if there were no errors found.
* The files are concatenated in order, based on their natural sort (see -v option of ls(1)) and stripped of empty and comment (#) lines.
* rulesets:
* syscalls
* format: `-a action,list -S syscall -F field=value -k keyname`
* files
* format: `-w path-to-file -p permissions -k keyname`
* ..?
## Further Reading
* `man` pages (list here)
* archwiki article
* syscalls docs
* update the format for rules
