LinuxQuestions.org - Who knows for what use is the service 'auditd'

The man page says...

Quote:

DESCRIPTION

auditd is the userspace component to the Linux Auditing System. It’s
responsible for writing audit records to the disk. Viewing the logs is
done with the ausearch or aureport utilities. Configuring the audit
rules is done with the auditctl utility. During startup, the rules in
/etc/audit.rules are read by auditctl. The audit daemon itself has some
configuration options that the admin may wish to customize. They are
found in the auditd.conf file.

OPTIONS

-f leave the audit daemon in the foreground for debugging. Messages
also go to stderr rather than the audit log.

SIGNALS

HUP causes auditd to reconfigure. This means that auditd re-reads the
configuration file. If there are no syntax errors, it will proceed to
implement the requested changes. If the reconfigure is successful, a
DAEMON_CONFIG event is recorded in the logs. If not successful, error
handling is controlled by space_left_action, admin_space_left_action,
disk_full_action, and disk_error_action parameters in auditd.conf.

TERM caused auditd to discontinue processing audit events, write a
shutdown audit event, and exit.

USR1 causes auditd to immediately rotate the logs. It will consult the
max_log_size_action to see if it should keep the logs or not.

One may monitor a directory in many ways, one is by file access time, another would be file size, and more.