// the find
linux-audit/audit-userspace
Linux audit userspace repository
The official userspace component of the Linux Audit System — auditd, auditctl, ausearch, aureport, and the audisp plugin dispatcher. This is the canonical implementation that ships with every major Linux distro and is required for PCI-DSS, Common Criteria, and STIG compliance. If you need kernel-level syscall auditing on Linux, this is the only real option.
The plugin architecture (audisp) is genuinely well-designed — plugins are separate processes with a queue between them, so a slow or crashing plugin cannot block auditd from draining the kernel's backlog. The auparse library gives you a proper C API with event/record/field traversal plus a feed mode for realtime data, which makes writing custom plugins tractable without parsing raw log lines yourself. The sample rules directory, organized by numeric prefix with clear compliance mappings (STIG, CIS), saves hours of policy writing from scratch. The auplugin library added in recent versions abstracts the threading and queue management that every plugin author was reimplementing.
The autotools build system is a relic — getting it to build from a fresh git clone requires autoconf, automake, libtool, and the right incantation of autoreconf flags, which is a friction wall for anyone just trying to evaluate it. Cross-compilation is explicitly documented as unsupported and essentially undocumented, which is a real problem for embedded Linux targets that often need audit compliance. The systemctl/dbus signal attribution issue described in the README is a genuine compliance gap with no fix path — using systemd to manage auditd breaks Common Criteria requirements, and the workaround (legacy initscripts in /usr/libexec) is increasingly unavailable on modern distros. The moratorium on new platform support is honest but means any non-x86/ARM64 target is effectively on its own.