Investigate auditd as a tool for monitoring/validating system state

[rocodes]

There are cases where we need to install and ascertain the state of certain files, both in dom0 and in other vms, such as the release pubkey, or other configurable files.

[auditd](https://www.redhat.com/sysadmin/configure-linux-auditing-auditd)/auditctl are available in dom0, and allow for the configuration of custom rules with various possible actions.

At minimum we could write logs to journalctl, but we could also consider triggering custom actions (for example, if a certain file changes, ask a trusted channel like dom0 rpc to show the user a confirmation dialog), or as a trigger to notify us that some provisioning steps may need to be rerun.

Possible use cases:

• a set of rules that 'validate' a prod config (similar idea to make test in dom0 that developers do)
• Help with the followup of [4.2] Write vm-specific config values to qubesdb #936 or with other provisioning aspects where we try to ascertain the system state, and/or ascertain if we need to rerun any provisioning steps

I haven't looked into this a ton, but just putting it out there, thoughts are welcome.

[cfm]

It looks like auditd would get us relevant logging of the same kind we get from OSSEC on the Application and Monitor Servers. That might well be valuable if we're able to save administrators manual spelunking through generic system log files, which has me thinking of freedomofpress/securedrop#973. Which makes sense for an always-on server. For the interative workstation, I think I'd pick #939 over this, at least to start....