Auditd Daemon

The audit daemon is a simplified version of its desktop
counterpart designed to gather the audit logs from the
audit kernel subsystem. The audit subsystem of the kernel
includes Linux Security Modules (LSM) messages as well.

To enable the audit subsystem, you must add this to your
kernel config:
CONFIG_AUDIT=y

To enable a LSM, you must consult that LSM's documentation, the
example below is for SELinux:
CONFIG_SECURITY_SELINUX=y

This does not include possible dependencies that may need to be
satisfied for that particular LSM.