The purpose of linux audit is to collect information regarding events occurring on the running system. It's function is a little like syslog (the older linux logging system) but it is much more configurable.

The linux audit system is made up from a number of parts. In summary:

• auditd audit daemon. Its primarily responsible for accepting audit records from the kernel and dealing with them (dumping in the audit.log or passing them on depending on how it is configured). It is configured from the file /etc/audit/auditd.conf on fedora.
• auditctl tool to control the audit system. It can turn auditing on and off, add rules to the filtering of events etc.
• ausearch a tool to query the audit logs. For example:
  #ausearch -i -se unconfined_t type=USER_AUTH msg=audit(03/18/2007 08:13:41.850:14) : user pid=2755 uid=domenico auid=domenico subj=user_u:system_r:unconfined_t:s0 msg='PAM: authentication acct=root : exe=/usr/sbin/userhelper (hostname=?, addr=?, terminal=? res=success)'
  This example searched for all entries in the log that had a SElinux context containing the type unconfined_t. The -i flag made it replace numerical things (like uid) with real names. As another example, suppose we want to look for failures of the open system call (a system call that allocates resources for a program to access a given file):
  #sudo -u domenico cat /etc/shadow #ausearch -i -sc open -sv no type=PATH msg=audit(03/22/2007 22:17:32.416:20) : item=0 name=/etc/shadow inode=6600828 dev=fd:00 mode=file,400 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shadow_t:s0
type=CWD msg=audit(03/22/2007 22:17:32.416:20) : cwd=/usr/share/selinux/devel/include/apps
type=SYSCALL msg=audit(03/22/2007 22:17:32.416:20) : arch=i386 syscall=open success=no exit=-13(Permission denied) a0=bf82ba05 a1=8000 a2=0 a3=8000 items=1 ppid=7226 pid=7862 auid=unset uid=domenico gid=domenico euid=domenico suid=domenico fsuid=domenico egid=domenico sgid=domenico fsgid=domenico tty=pts5 comm=cat exe=/bin/cat subj=user_u:system_r:unconfined_t:s0 key=(null)

  The option -sc searches for events matching the given system call, the -sv option searches for events matching a given success value. In the example, these options together search for the failures of the open system call in the audit logs.

  A useful option for debugging SElinux is the -ts option. This produces all events after a certain date/time. For example, all AVC events after 5pm today:

  #ausearch -ts 17:00 | grep AVC type=AVC_PATH msg=audit(1176137906.767:37): path="/home/domenico/.icons/Tango/index.theme"
type=AVC msg=audit(1176137906.767:37): avc: denied { getattr } for pid=3570 comm="liferea-bin" name="index.theme" dev=dm-0 ino=3015579 scontext=user_u:system_r:liferea_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1176137906.768:38): avc: denied { read } for pid=3570 comm="liferea-bin" name="index.theme" dev=dm-0 ino=3015579 scontext=user_u:system_r:liferea_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file
• aureport a tool to produce summary reports of the audits.
• autrace a tool that will add the audit rules that will lead to a trace of a program similar to strace.

Much more detail is available in the man pages.