https://vo.rs/tags/auditd/Auditd - Tag - vo.rsHugo -- gohugo.ioenThis work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.Fri, 03 Oct 2025 11:00:00 +0000https://vo.rs/story/linux-audit-framework-tracking-who-did-what-on-your-servers/<p>The moment a server does something you didn&rsquo;t expect — a file changes, a binary appears, a user gains a privilege they shouldn&rsquo;t have — the first question is always the same: <em>who did this, and when?</em> Ordinary logs rarely answer it. They tell you a service restarted, not that someone read <code>/etc/shadow</code> at 02:14. For the real answer you need the Linux Audit Framework, the kernel-level recorder that has been sitting on your box this whole time, almost certainly underused.</p>Fri, 03 Oct 2025 11:00:00 +0000