1AUDITD(8) System Administration Utilities AUDITD(8)
2
6 auditd - The Linux Audit daemon
7
9 auditd [-f] [-l] [-n]
10
12 auditd is the userspace component to the Linux Auditing System. It's
13 responsible for writing audit records to the disk. Viewing the logs is
14 done with the ausearch or aureport utilities. Configuring the audit
15 rules is done with the auditctl utility. During startup, the rules in
16 /etc/audit.rules are read by auditctl. The audit daemon itself has some
17 configuration options that the admin may wish to customize. They are
18 found in the auditd.conf file.
19
21 -f leave the audit daemon in the foreground for debugging. Messages
22 also go to stderr rather than the audit log.
23 -l allow the audit daemon to follow symlinks for config files.
25 -n no fork. This is useful for running off of inittab
27
29 SIGHUP causes auditd to reconfigure. This means that auditd re-reads
30 the configuration file. If there are no syntax errors, it will
31 proceed to implement the requested changes. If the reconfigure
32 is successful, a DAEMON_CONFIG event is recorded in the logs. If
33 not successful, error handling is controlled by
34 space_left_action, admin_space_left_action, disk_full_action,
35 and disk_error_action parameters in auditd.conf.
36 SIGTERM
39 caused auditd to discontinue processing audit events, write a
40 shutdown audit event, and exit.
41 SIGUSR1
44 causes auditd to immediately rotate the logs. It will consult
45 the max_log_size_action to see if it should keep the logs or
46 not.
47
50 /etc/audit/auditd.conf - configuration file for audit daemon
51 /etc/audit/audit.rules - audit rules to be loaded at startup
53
56 A boot param of audit=1 should be added to ensure that all processes
57 that run before the audit daemon starts is marked as auditable by the
58 kernel. Not doing that will make a few processes impossible to properly
59 audit.
60
63 auditd.conf(5), ausearch(8), aureport(8), auditctl(8).
64
67 Steve Grubb
68Red Hat Feb 2007 AUDITD(8)