1AUDITD(8) System Administration Utilities AUDITD(8)
2
6 auditd - The Linux Audit daemon
7
9 auditd [-f] [-l] [-n] [-s disable|enable|nochange] [-c <config_dir>]
10
12 auditd is the userspace component to the Linux Auditing System. It's
13 responsible for writing audit records to the disk. Viewing the logs is
14 done with the ausearch or aureport utilities. Configuring the audit
15 system or loading rules is done with the auditctl utility. During
16 startup, the rules in /etc/audit/audit.rules are read by auditctl and
17 loaded into the kernel. Alternately, there is also an augenrules pro‐
18 gram that reads rules located in /etc/audit/rules.d/ and compiles them
19 into an audit.rules file. The audit daemon itself has some configura‐
20 tion options that the admin may wish to customize. They are found in
21 the auditd.conf file.
22
24 -f leave the audit daemon in the foreground for debugging. Messages
25 also go to stderr rather than the audit log.
26 -l allow the audit daemon to follow symlinks for config files.
28 -n no fork. This is useful for running off of inittab or systemd.
30 -s=ENABLE_STATE
32 specify when starting if auditd should change the current value
33 for the kernel enabled flag. Valid values for ENABLE_STATE are
34 "disable", "enable" or "nochange". The default is to enable (and
35 disable when auditd terminates). The value of the enabled flag
36 may be changed during the lifetime of auditd using 'auditctl
37 -e'.
38 -c Specify alternate config file directory. Note that this same
40 directory will be passed to the dispatcher. (default:
41 /etc/audit/)
42
44 SIGHUP causes auditd to reconfigure. This means that auditd re-reads
45 the configuration file. If there are no syntax errors, it will
46 proceed to implement the requested changes. If the reconfigure
47 is successful, a DAEMON_CONFIG event is recorded in the logs. If
48 not successful, error handling is controlled by
49 space_left_action, admin_space_left_action, disk_full_action,
50 and disk_error_action parameters in auditd.conf.
51 SIGTERM
54 caused auditd to discontinue processing audit events, write a
55 shutdown audit event, and exit.
56 SIGUSR1
59 causes auditd to immediately rotate the logs. It will consult
60 the max_log_file_action to see if it should keep the logs or
61 not.
62 SIGUSR2
65 causes auditd to attempt to resume logging and passing events to
66 plugins. This is usually needed after logging has been suspended
67 or the internal queue is overflowed. Either of these conditions
68 depends on the applicable configuration settings.
69 SIGCONT
71 causes auditd to dump a report of internal state to
72 /var/run/auditd.state.
73
76 /etc/audit/auditd.conf - configuration file for audit daemon
77 /etc/audit/audit.rules - audit rules to be loaded at startup
79 /etc/audit/rules.d/ - directory holding individual sets of rules to be
81 compiled into one file by augenrules.
82 /etc/audit/plugins.d/ - directory holding individual plugin configura‐
84 tion files.
85 /var/run/auditd.state - report about internal state.
87
90 A boot param of audit=1 should be added to ensure that all processes
91 that run before the audit daemon starts is marked as auditable by the
92 kernel. Not doing that will make a few processes impossible to properly
93 audit.
94 The audit daemon can receive audit events from other audit daemons via
96 the audisp-remote plugin. The audit daemon may be linked with tcp_wrap‐
97 pers to control which machines can connect. If this is the case, you
98 can add an entry to hosts.allow and deny.
99
102 auditd.conf(5), auditd-plugins(5), ausearch(8), aureport(8),
103 auditctl(8), augenrules(8), audit.rules(7).
104
107 Steve Grubb
108Red Hat Sept 2013 AUDITD(8)