Add 'Managing the audit daemon' page

See: coreos/fedora-coreos-tracker#1362
See: linux-audit/audit-userspace@39802bf

modules/ROOT/nav.adoc

@@ -42,6 +42,7 @@
 ** xref:counting.adoc[Node counting]
 ** xref:time-zone.adoc[Configuring Time Zone]
 ** xref:grub-password.adoc[Setting a GRUB password]
+** xref:audit.adoc[Managing the audit daemon]
 * OS updates
 ** xref:update-streams.adoc[Update Streams]
 ** xref:auto-updates.adoc[Auto-Updates]

modules/ROOT/pages/audit.adoc

@@ -0,0 +1,28 @@
+= Managing the audit daemon (`auditd`)
+
+Starting with the first release based on Fedora 39, Fedora CoreOS includes the audit daemon (`auditd`) to load and manage audit rules.
+
+While the audit daemon
+Like all system daemons on Fedora CoreOS, the audit daemon is managed by systemd but with an exception: it can not be stopped or restarted via `systemctl stop auditd` or `systemctl restart auditd` for compliance reasons.
+
+From [Unable to restart/stop auditd service using systemctl command in RHEL](https://access.redhat.com/solutions/2664811):
+
+> The reason for this unusual handling of restart/stop requests is that auditd is treated specially by the kernel: the credentials of a process that sends a killing signal to auditd are saved to the audit log. The audit developers do not want to see the credentials of PID 1 logged there. They want to see the login UID of the user who initiated the action.
+
+To stop and restart the audit daemon, you should use the following commands:
+
+[source,bash]
+----
+$ sudo auditctl stop
+$ sudo systemctl start  # Only if you want to restart the daemon
+----
+
+You man also use the following commands to reload the rules, rotate the logs, resume (?), fetch the state:
+
+[source,bash]
+----
+$ sudo auditctl reload
+$ sudo auditctl rotate
+$ sudo auditctl resume
+$ sudo auditctl state
+----