Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

auditd(8) [ultrix man page]

auditd(8)						      System Manager's Manual							 auditd(8)

Name
       auditd - audit daemon

Syntax
       /etc/sec/auditd [ options ...  ]

Description
       The  audit  daemon,  operates  as a server, monitoring for local audit data, monitoring a known port for data from remote cooperating audit
       daemons, and monitoring an AF_UNIX socket for input from the system administrator.

       Local audit data is read from the device.  Data read from is buffered by the audit daemon, and eventually output into the auditlog when the
       buffer nears capacity or the daemon receives an explicit instruction from the administrator to flush its buffer.

       Local  administrative  data  is	read  via  the socket Input from the system administrator allows for changing of the daemon's configurable
       options.  The administrator communicates with the audit daemon by executing with the desired options.  The first invocation of  spawns  the
       daemon;	subsequent  invocations  detect that an audit daemon already exists and will communicate with it, passing along directions for the
       selected options.  The first invocation of the daemon also turns on auditing for the system ( When the daemon  is  terminated,  by  the	-k
       option  or the SIGTERM signal, auditing is turned off.  It is important not to have system auditing turned on when there is no audit daemon
       running on the system (processes being audited will sleep until is read, which is typically done by the audit daemon).

       Remote audit data is first detected when the remote audit daemon attempts to communicate with the local audit daemon.  To establish a  com-
       munications  path  between  the	remote	and  the local daemons, the remote audit daemons hostname is first checked against a list of hosts
       allowed to transmit data to the local host.  This list is maintained in If the remote host is allowed to transfer audit data to	the  local
       host, a child audit daemon dedicated to communicating with the remote host is spawned.

Options
       -a	   Toggle  the	KERBEROS switch.  If on, KERBEROS authentication routines will be used to verify the identity of any audit daemons
		   attempting to communicate.  This occurs either when sending to a remote host (by the -i option) or accepting from remote  hosts
		   (by the -s option).

       -b alternate_pathname
		   Sets  the  pathname	to which the audit daemon will write its data should the location currently accepting data become unavail-
		   able.  This can happen should the current location specify a remote host which is no longer available, or when  the	filesystem
		   of the current location reaches an overflow condition (in this case, the alternate pathname must specify a partition other than
		   the currently overflowing partition).

       -c pathname Sets the pathname to which the audit daemon will post any warning or informational messages (such as "audit log change").  This
		   may be either a device or local file.

       -d	   Causes  the	audit daemon to dump its currently buffered audit data out to The audit daemon normally dumps its buffer only when
		   it approaches capacity.

       -f percentage
		   Sets the minimum percent free space on the current partition before an overflow condition is triggered.

       -h	   Outputs a brief help menu.

       -i hostname Causes the audit daemon to transfer its audit data to the audit daemon executing on the remote host hostname.   If  the  remote
		   site stops receiving, the local daemon will store its data locally (in alternate_pathname if available).

       -k	   Kills the audit daemon (killing the local daemon turns audit off).

       -l pathname Causes the audit daemon to output its audit data to the local file pathname.

       -n kbytes   Sets the size of the audit daemons buffer for the audit data (minimum is 4).

       -o overflow action
		   Sets  the  system  action  to  take	on a local overflow condition.	Alternatives are a) use the alternate log specified via -b
		   option, b) shutdown the system, c) switch to the root-mounted filesystem with the most free space, d)  suspend  auditing  until
		   space is made available, and e) overwrite the current auditlog.

       -p daemon id
		   Specifies  the  id  of  the	audit  daemon to receive the current options.  When the local audit daemon accepts a connection to
		   receive data from a remote audit daemon, a dedicated child audit daemon is spawned off from the local audit daemon  to  service
		   that connection.  With this scenario, multiple audit daemons may exist on a single system.  Specifying the id of the allows for
		   communication with one of the child audit daemons.  The id for each daemon can be found by entering the following at  the  com-
		   mand line:
		   /etc/sec/auditd -?
		   The	previous  command line displays the current options.  No id's are displayed unless at least one child audit daemon exists.
		   If the -p option is not specified when running with more than one audit daemon, the master daemon (accepting audit data for the
		   local system) handles the request.  When the master daemon is killed, it kills all of its child daemons.

       -q	   Queries the audit daemon for the current location of the audit data.

       -s	   Toggles  the  network  server switch.  If on, allows the audit daemon to accept audit data from other audit daemons whose host-
		   names are specified in the file.

       -t timeout value
		   Sets the timeout value used in establishing initial connections with remote audit daemons.

       -x	   Auditlog pathnames are always appended with a suffix consisting of a generation number.  These generation numbers range from  0
		   to  999.   (Generation  numbers  may  be  overridden  via explicit generation number specification on the pathname for the -lfR
		   option, for example auditlog.345).  The -x option causes a change in auditlog to the next auditlog  in  the	generation  number
		   sequence.   (If  the  current  log  was  auditlog.345,  then -x would change the log to auditlog.346).  Whenever an auditlog is
		   closed, it is also compressed (by

       -z	   Removes any AF_UNIX sockets left by previous daemons.  This occurs when the system shuts down abnormally.  This option is  use-
		   ful	typically  only  for the invocation from the file.  If no AF_UNIX socket is present, the next invocation of will start the
		   daemon.  If an AF_UNIX socket is present, the next invocation of will spawn a client process which will  communicate  with  the
		   system audit daemon.  This -z option removes any leftover AF_UNIX sockets, forcing a new audit daemon to start.  This should be
		   used only when no audit daemon is present on the system.

       -?	   Shows the current status of the audit daemons options.

Files
See Also
       audcntl(2), audit(4)

																	 auditd(8)
Man Page