auditd(8)auditd(8)Nameauditd - audit daemon
Syntax
/etc/sec/auditd [ options ... ]
Description
The audit daemon, operates as a server, monitoring for local audit
data, monitoring a known port for data from remote cooperating audit
daemons, and monitoring an AF_UNIX socket for input from the system
administrator.
Local audit data is read from the device. Data read from is buffered
by the audit daemon, and eventually output into the auditlog when the
buffer nears capacity or the daemon receives an explicit instruction
from the administrator to flush its buffer.
Local administrative data is read via the socket Input from the system
administrator allows for changing of the daemon's configurable options.
The administrator communicates with the audit daemon by executing with
the desired options. The first invocation of spawns the daemon; subse‐
quent invocations detect that an audit daemon already exists and will
communicate with it, passing along directions for the selected options.
The first invocation of the daemon also turns on auditing for the sys‐
tem ( When the daemon is terminated, by the -k option or the SIGTERM
signal, auditing is turned off. It is important not to have system
auditing turned on when there is no audit daemon running on the system
(processes being audited will sleep until is read, which is typically
done by the audit daemon).
Remote audit data is first detected when the remote audit daemon
attempts to communicate with the local audit daemon. To establish a
communications path between the remote and the local daemons, the
remote audit daemons hostname is first checked against a list of hosts
allowed to transmit data to the local host. This list is maintained in
If the remote host is allowed to transfer audit data to the local host,
a child audit daemon dedicated to communicating with the remote host is
spawned.
Options-a Toggle the KERBEROS switch. If on, KERBEROS authentication
routines will be used to verify the identity of any audit
daemons attempting to communicate. This occurs either when
sending to a remote host (by the -i option) or accepting
from remote hosts (by the -s option).
-b alternate_pathname
Sets the pathname to which the audit daemon will write its
data should the location currently accepting data become
unavailable. This can happen should the current location
specify a remote host which is no longer available, or when
the filesystem of the current location reaches an overflow
condition (in this case, the alternate pathname must spec‐
ify a partition other than the currently overflowing parti‐
tion).
-c pathname Sets the pathname to which the audit daemon will post any
warning or informational messages (such as "audit log
change"). This may be either a device or local file.
-d Causes the audit daemon to dump its currently buffered
audit data out to The audit daemon normally dumps its buf‐
fer only when it approaches capacity.
-f percentage
Sets the minimum percent free space on the current parti‐
tion before an overflow condition is triggered.
-h Outputs a brief help menu.
-i hostname Causes the audit daemon to transfer its audit data to the
audit daemon executing on the remote host hostname. If the
remote site stops receiving, the local daemon will store
its data locally (in alternate_pathname if available).
-k Kills the audit daemon (killing the local daemon turns
audit off).
-l pathname Causes the audit daemon to output its audit data to the
local file pathname.
-n kbytes Sets the size of the audit daemons buffer for the audit
data (minimum is 4).
-o overflow action
Sets the system action to take on a local overflow condi‐
tion. Alternatives are a) use the alternate log specified
via -b option, b) shutdown the system, c) switch to the
root-mounted filesystem with the most free space, d) sus‐
pend auditing until space is made available, and e) over‐
write the current auditlog.
-p daemon id
Specifies the id of the audit daemon to receive the current
options. When the local audit daemon accepts a connection
to receive data from a remote audit daemon, a dedicated
child audit daemon is spawned off from the local audit dae‐
mon to service that connection. With this scenario, multi‐
ple audit daemons may exist on a single system. Specifying
the id of the allows for communication with one of the
child audit daemons. The id for each daemon can be found
by entering the following at the command line:
/etc/sec/auditd -?
The previous command line displays the current options. No
id's are displayed unless at least one child audit daemon
exists. If the -p option is not specified when running
with more than one audit daemon, the master daemon (accept‐
ing audit data for the local system) handles the request.
When the master daemon is killed, it kills all of its child
daemons.
-q Queries the audit daemon for the current location of the
audit data.
-s Toggles the network server switch. If on, allows the audit
daemon to accept audit data from other audit daemons whose
hostnames are specified in the file.
-t timeout value
Sets the timeout value used in establishing initial connec‐
tions with remote audit daemons.
-x Auditlog pathnames are always appended with a suffix con‐
sisting of a generation number. These generation numbers
range from 0 to 999. (Generation numbers may be overridden
via explicit generation number specification on the path‐
name for the -lfR option, for example auditlog.345). The
-x option causes a change in auditlog to the next auditlog
in the generation number sequence. (If the current log was
auditlog.345, then -x would change the log to audit‐
log.346). Whenever an auditlog is closed, it is also com‐
pressed (by
-z Removes any AF_UNIX sockets left by previous daemons. This
occurs when the system shuts down abnormally. This option
is useful typically only for the invocation from the file.
If no AF_UNIX socket is present, the next invocation of
will start the daemon. If an AF_UNIX socket is present,
the next invocation of will spawn a client process which
will communicate with the system audit daemon. This -z
option removes any leftover AF_UNIX sockets, forcing a new
audit daemon to start. This should be used only when no
audit daemon is present on the system.
-? Shows the current status of the audit daemons options.
FilesSee Alsoaudcntl(2), audit(4)auditd(8)