Auditing directories and files
An important task related to troubleshooting can arise from an understanding of activities commonly associated with the action of reading and writing files. CentOS 7 provides a simple utility for this. Known as auditd, this service (or daemon) starts during the boot process. Events are recorded to an associated log file found at /var/log/audit and as it runs in the background, you can check the current service status with:
# systemctl status | grep audit
It is possible to customize the auditing service and you can have direct access to manage the log file size, location, and associated attributes by accessing the following file with your favorite text editor:
# nano /etc/audit/auditd.conf
Moreover, if you do not wish to lose any auditing data, you are able to disable the machine when an audit cannot be performed. To do this, open the configuration file auditd.conf and add or modify the following lines:
max_log_file_action = keep_logs space_left_action = email...
