утилита для помощи в управлении системой аудита ядра (a utility to assist controlling the kernel's audit system)
DISABLED BY DEFAULT
On many systems auditd is configured to install an -a never,task
rule by default. This rule causes every new process to skip all
audit rule processing. This is usually done to avoid a small
performance overhead imposed by syscall auditing. If you want to
use auditd, you need to remove that rule by deleting 10-no-
audit.rules and adding 10-base-config.rules to the audit rules
directory.
If you have defined audit rules that are not matching when they
should, check auditctl -l to make sure there is no never,task
rule there.
