auditd - Audit daemon
/usr/sbin/auditd [ options ... ]
Sets the pathname to which the audit daemon will post any warning or informational messages (such as "audit log change"). This may be either a device or local file. Outputs a brief help menu. Causes the audit daemon to transfer its audit data to the audit daemon executing on the remote host hostname. If the remote site stops receiving, the local daemon will store its data locally as specified with the -o and -r options to auditd. Causes the audit daemon to output its audit data to the local file pathname. Queries the audit daemon for the current location of the audit data.
Causes the audit subsystem to dump its currently buffered audit data (from the kernel and the daemon) out to the configured host or log file. The audit daemon normally dumps its buffer only when it approaches capacity.
The -z option removes any AF_UNIX sockets left by previous daemons. This situation can occur when the system shuts down abnormally. If no AF_UNIX socket is present, the next invocation of will start the daemon. If an AF_UNIX socket is present, the next invocation of spawns a client process which communicates with the system audit daemon. This -z option should be used only when no audit daemon is present on the system.
Sets the size of the audit daemons buffer for the audit data (minimum is 4). Toggles the network server switch. If on, allows the audit daemon to accept audit data from other audit daemons whose host names are specified in the /etc/sec/auditd_clients file. Sets the timeout value used in establishing initial connections with remote audit daemons. Instructs the client audit daemon to not require acknowledgement from the server (machine collecting audit data) for the reciept of audit data sent over the network. The -u option is used for compatibility with servers that are running versions of DIGITAL UNIX prior to Version 4.0D.
Sets the minimum percent free space on the current partition before
an overflow condition is triggered.
Sets the action that auditd takes on an overflow condition.
The following actions are available for the -o option:
Change to the next directory or host machine
(auditd on the host machine determines the path)
as specified in the /etc/sec/auditd_loc file.
Overwrite the current audit log file. This action causes the loss of previously logged audit data. Terminates the audit daemon. Immediately halts the system by doing a reboot.
The audit daemon, auditd, operates as a server, monitoring /dev/audit for local audit data, monitoring a known port for data from remote cooperating audit daemons, and monitoring an AF_UNIX socket for input from the system administrator.
Local audit data is shared with the /dev/audit device, and eventually is sent to the auditlog when the buffer nears capacity or the daemon receives an explicit instruction from the administrator to flush its buffer.
Local administrative data is read via the socket /dev/.audit/audS. Input from the system administrator allows for changing of the daemon's configurable options. The administrator communicates with the audit daemon by executing auditd with the desired options. The first invocation of auditd spawns the daemon; subsequent invocations detect that an audit daemon already exists and will communicate with it, passing along directions for the selected options. The first invocation of the daemon also turns on auditing for the system (audcntl(2)). When the daemon is terminated, by the -k option or the SIGTERM signal, auditing is turned off. It is important not to have system auditing turned on when there is no audit daemon running on the system (processes being audited will sleep on resources under control of the audit system).
Remote audit data is first detected when a client (remote) audit daemon attempts to communicate with the server (local) audit daemon. To establish a communications path between the client and the server daemons, the client's host name is first checked against a list of hosts allowed to transmit data to the server. This list is maintained on the server in /etc/sec/auditd_clients. If the client is allowed to transfer audit data to the server, a child audit daemon dedicated to communicating with that client is spawned.
Any data transferred from the client to the server is acknowledged (ack'ed) by the server. If the data transfer fails, the client follows its "overflow" option. For communication with servers on systems prior to Version 4.0D, the client must use the -u option, because data acknowledgment was not used on earlier systems.
Files: audit(7) delim off