auditd(8) System Manager's Manual auditd(8)
Name
auditd - audit daemon
Syntax
/etc/sec/auditd [ options ... ]
Description
The audit daemon, operates as a server, monitoring for local audit data, monitoring a known port for data from remote cooperating audit
daemons, and monitoring an AF_UNIX socket for input from the system administrator.
Local audit data is read from the device. Data read from is buffered by the audit daemon, and eventually output into the auditlog when the
buffer nears capacity or the daemon receives an explicit instruction from the administrator to flush its buffer.
Local administrative data is read via the socket Input from the system administrator allows for changing of the daemon's configurable
options. The administrator communicates with the audit daemon by executing with the desired options. The first invocation of spawns the
daemon; subsequent invocations detect that an audit daemon already exists and will communicate with it, passing along directions for the
selected options. The first invocation of the daemon also turns on auditing for the system ( When the daemon is terminated, by the -k
option or the SIGTERM signal, auditing is turned off. It is important not to have system auditing turned on when there is no audit daemon
running on the system (processes being audited will sleep until is read, which is typically done by the audit daemon).
Remote audit data is first detected when the remote audit daemon attempts to communicate with the local audit daemon. To establish a com-
munications path between the remote and the local daemons, the remote audit daemons hostname is first checked against a list of hosts
allowed to transmit data to the local host. This list is maintained in If the remote host is allowed to transfer audit data to the local
host, a child audit daemon dedicated to communicating with the remote host is spawned.
Options
-a Toggle the KERBEROS switch. If on, KERBEROS authentication routines will be used to verify the identity of any audit daemons
attempting to communicate. This occurs either when sending to a remote host (by the -i option) or accepting from remote hosts
(by the -s option).
-b alternate_pathname
Sets the pathname to which the audit daemon will write its data should the location currently accepting data become unavail-
able. This can happen should the current location specify a remote host which is no longer available, or when the filesystem
of the current location reaches an overflow condition (in this case, the alternate pathname must specify a partition other than
the currently overflowing partition).
-c pathname Sets the pathname to which the audit daemon will post any warning or informational messages (such as "audit log change"). This
may be either a device or local file.
-d Causes the audit daemon to dump its currently buffered audit data out to The audit daemon normally dumps its buffer only when
it approaches capacity.
-f percentage
Sets the minimum percent free space on the current partition before an overflow condition is triggered.
-h Outputs a brief help menu.
-i hostname Causes the audit daemon to transfer its audit data to the audit daemon executing on the remote host hostname. If the remote
site stops receiving, the local daemon will store its data locally (in alternate_pathname if available).
-k Kills the audit daemon (killing the local daemon turns audit off).
-l pathname Causes the audit daemon to output its audit data to the local file pathname.
-n kbytes Sets the size of the audit daemons buffer for the audit data (minimum is 4).
-o overflow action
Sets the system action to take on a local overflow condition. Alternatives are a) use the alternate log specified via -b
option, b) shutdown the system, c) switch to the root-mounted filesystem with the most free space, d) suspend auditing until
space is made available, and e) overwrite the current auditlog.
-p daemon id
Specifies the id of the audit daemon to receive the current options. When the local audit daemon accepts a connection to
receive data from a remote audit daemon, a dedicated child audit daemon is spawned off from the local audit daemon to service
that connection. With this scenario, multiple audit daemons may exist on a single system. Specifying the id of the allows for
communication with one of the child audit daemons. The id for each daemon can be found by entering the following at the com-
mand line:
/etc/sec/auditd -?
The previous command line displays the current options. No id's are displayed unless at least one child audit daemon exists.
If the -p option is not specified when running with more than one audit daemon, the master daemon (accepting audit data for the
local system) handles the request. When the master daemon is killed, it kills all of its child daemons.
-q Queries the audit daemon for the current location of the audit data.
-s Toggles the network server switch. If on, allows the audit daemon to accept audit data from other audit daemons whose host-
names are specified in the file.
-t timeout value
Sets the timeout value used in establishing initial connections with remote audit daemons.
-x Auditlog pathnames are always appended with a suffix consisting of a generation number. These generation numbers range from 0
to 999. (Generation numbers may be overridden via explicit generation number specification on the pathname for the -lfR
option, for example auditlog.345). The -x option causes a change in auditlog to the next auditlog in the generation number
sequence. (If the current log was auditlog.345, then -x would change the log to auditlog.346). Whenever an auditlog is
closed, it is also compressed (by
-z Removes any AF_UNIX sockets left by previous daemons. This occurs when the system shuts down abnormally. This option is use-
ful typically only for the invocation from the file. If no AF_UNIX socket is present, the next invocation of will start the
daemon. If an AF_UNIX socket is present, the next invocation of will spawn a client process which will communicate with the
system audit daemon. This -z option removes any leftover AF_UNIX sockets, forcing a new audit daemon to start. This should be
used only when no audit daemon is present on the system.
-? Shows the current status of the audit daemons options.
Files
See Also
audcntl(2), audit(4)
auditd(8)