1AUDITD(8) System Administration Utilities AUDITD(8)
2
6 auditd - The Linux Audit daemon
7
9 auditd [-f] [-l] [-n] [-s disable|enable|nochange] [-c <config_dir>]
10
12 auditd is the userspace component to the Linux Auditing System. It's
13 responsible for writing audit records to the disk. Viewing the logs is
14 done with the ausearch or aureport utilities. Configuring the audit
15 system or loading rules is done with the auditctl utility. During
16 startup, the rules in /etc/audit/audit.rules are read by auditctl and
17 loaded into the kernel. Alternately, there is also an augenrules pro‐
18 gram that reads rules located in /etc/audit/rules.d/ and compiles them
19 into an audit.rules file. The audit daemon itself has some configura‐
20 tion options that the admin may wish to customize. They are found in
21 the auditd.conf file.
22
24 -f leave the audit daemon in the foreground for debugging. Messages
25 also go to stderr rather than the audit log.
26 -l allow the audit daemon to follow symlinks for config files.
28 -n no fork. This is useful for running off of inittab or systemd.
30 -s=ENABLE_STATE
32 specify when starting if auditd should change the current value
33 for the kernel enabled flag. Valid values for ENABLE_STATE are
34 "disable", "enable" or "nochange". The default is to enable (and
35 disable when auditd terminates). The value of the enabled flag
36 may be changed during the lifetime of auditd using 'auditctl
37 -e'.
38 -c Specify alternate config file directory. Note that this same di‐
40 rectory will be passed to the dispatcher. (default: /etc/audit/)
41
43 SIGHUP causes auditd to reconfigure. This means that auditd re-reads
44 the configuration file. If there are no syntax errors, it will
45 proceed to implement the requested changes. If the reconfigure
46 is successful, a DAEMON_CONFIG event is recorded in the logs. If
47 not successful, error handling is controlled by space_left_ac‐
48 tion, admin_space_left_action, disk_full_action, and disk_er‐
49 ror_action parameters in auditd.conf.
50 SIGTERM
53 caused auditd to discontinue processing audit events, write a
54 shutdown audit event, and exit.
55 SIGUSR1
58 causes auditd to immediately rotate the logs. It will consult
59 the max_log_file_action to see if it should keep the logs or
60 not.
61 SIGUSR2
64 causes auditd to attempt to resume logging and passing events to
65 plugins. This is usually needed after logging has been suspended
66 or the internal queue is overflowed. Either of these conditions
67 depends on the applicable configuration settings.
68 SIGCONT
70 causes auditd to dump a report of internal state to /var/run/au‐
71 ditd.state.
72
75 1 Cannot adjust priority, daemonize, open audit netlink, write the
76 pid file, start up plugins, resolve the machine name, set audit
77 pid, or other initialization tasks.
78 2 Invalid or excessive command line arguments
81 4 The audit daemon doesn't have sufficient privilege
84 6 There is an error in the configuration file
87
90 /etc/audit/auditd.conf - configuration file for audit daemon
91 /etc/audit/audit.rules - audit rules to be loaded at startup
93 /etc/audit/rules.d/ - directory holding individual sets of rules to be
95 compiled into one file by augenrules.
96 /etc/audit/plugins.d/ - directory holding individual plugin configura‐
98 tion files.
99 /var/run/auditd.state - report about internal state.
101
104 A boot param of audit=1 should be added to ensure that all processes
105 that run before the audit daemon starts is marked as auditable by the
106 kernel. Not doing that will make a few processes impossible to properly
107 audit.
108 The audit daemon can receive audit events from other audit daemons via
110 the audisp-remote plugin. The audit daemon may be linked with tcp_wrap‐
111 pers to control which machines can connect. If this is the case, you
112 can add an entry to hosts.allow and deny.
113
116 auditd.conf(5), auditd-plugins(5), ausearch(8), aureport(8), au‐
117 ditctl(8), augenrules(8), audit.rules(7).
118
121 Steve Grubb
122Red Hat Sept 2021 AUDITD(8)