Linux Audit is composed of a kernel-side component and a user-space component. It is primarily used to audit system calls. Some other kernels subsystems such as SELinux’s AVC also use Linux Audit. This document focuses on the use of Audit with system calls only.
In particular - for both forensics and live alerting purposes, it makes sense to audit system calls:
it’s a single point of entry for communication user-space (programs, etc. running on your OS), even if you communicate by other means afterwards, it
always start with a system call. - it cannot (too) easily be bypassed