So, you have a directory full of super-secret files that only a very few people need to see, and you want to know when unauthorized people try to see them. Or, maybe you want to see when a certain file gets changed, or you want to see when people log into the system and what they're doing once they do log in. For all this and more, you have the auditd system. It's a really cool system, and I think that you'll like it.

On Red Hat-type systems, auditd comes installed and enabled by default. So, you'll find it already there on your CentOS machine. On Ubuntu, it won't be installed, so you'll have to do it yourself:

sudo apt install auditd

On Ubuntu, you can control the auditd daemon with the normal systemctl commands. So, if you need to restart auditd to read in a new configuration, you can do that with the following:

sudo systemctl restart auditd

On RHEL/CentOS 7 and 8, for some reason that I don't understand, auditd is configured to not work with the normal systemctl commands. (For all other daemons, they do.) So, on your CentOS 7/8 machine, you'll restart the auditd daemon with the old-fashioned service command, like so:

sudo service auditd restart

Other than this minor difference, everything I tell you about auditd from here on will apply to both Ubuntu and CentOS.