auditd(1m) - osol9

1auditd(1M)              System Administration Commands              auditd(1M)
2
3
4

NAME

6       auditd - audit daemon
7

SYNOPSIS

9       /usr/sbin/auditd
10
11

DESCRIPTION

13       The audit daemon, auditd, controls the generation and location of audit
14       trail files and the generation of syslog messages based on the  defini‐
15       tions  in  audit_control(4).  If  auditing is enabled, auditd reads the
16       audit_control file to do the following:
17
18           o      reads the path to a library module for  realtime  conversion
19                  of audit data into syslog messages;
20
21           o      reads  other  parameters  specific to the selected plugin or
22                  plugins;
23
24           o      obtains a list of directories into which audit files can  be
25                  written;
26
27           o      obtains  the  percentage limit for how much space to reserve
28                  on each filesystem before changing to the next directory.
29
30
31       audit(1M) is used to control auditd. It can cause auditd to:
32
33           o      close the current audit file and open a new one;
34
35           o      close   the   current   audit   file,   re-read   /etc/secu‐
36                  rity/audit_control and open a new audit file;
37
38           o      close the audit trail and terminate auditing.
39
40   Auditing Conditions
41       The audit daemon invokes the program audit_warn(1M) under the following
42       conditions with the indicated options:
43
44       audit_warn soft pathname
45
46           The file system upon which pathname resides has exceeded the  mini‐
47           mum free space limit defined in audit_control(4). A new audit trail
48           has been opened on another file system.
49
50
51       audit_warn allsoft
52
53           All available file systems have been filled beyond the minimum free
54           space limit. A new audit trail has been opened anyway.
55
56
57       audit_warn hard pathname
58
59           The  file system upon which pathname resides has filled or for some
60           reason become unavailable. A new audit trail  has  been  opened  on
61           another file system.
62
63
64       audit_warn allhard count
65
66           All  available  file  systems  have  been filled or for some reason
67           become unavailable. The audit  daemon  will  repeat  this  call  to
68           audit_warn  at  intervals  of  at  least twenty seconds until space
69           becomes available. count is the number of times that audit_warn has
70           been called since the problem arose.
71
72
73       audit_warn ebusy
74
75           There is already an audit daemon running.
76
77
78       audit_warn tmpfile
79
80           The  file  /etc/security/audit/audit_tmp exists, indicating a fatal
81           error.
82
83
84       audit_warn nostart
85
86           The internal system audit condition is AUC_FCHDONE. Auditing cannot
87           be started without rebooting the system.
88
89
90       audit_warn auditoff
91
92           The  internal  system  audit  condition  has been changed to not be
93           AUC_AUDITING by someone other than the audit  daemon.  This  causes
94           the audit daemon to exit.
95
96
97       audit_warn postsigterm
98
99           An  error occurred during the orderly shutdown of the auditing sys‐
100           tem.
101
102
103       audit_warn getacdir
104
105           There is a problem  getting  the  directory  list  from  /etc/secu‐
106           rity/audit/audit_control.
107
108           The  audit  daemon  will  hang  in  a sleep loop until this file is
109           fixed.
110
111

FILES

113       /etc/security/audit/audit_control
114

ATTRIBUTES

116       See attributes(5) for descriptions of the following attributes:
117
118
119
120
121       ┌─────────────────────────────┬─────────────────────────────┐
122       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
123       ├─────────────────────────────┼─────────────────────────────┤
124       │Availability                 │SUNWcsu                      │
125       ├─────────────────────────────┼─────────────────────────────┤
126       │Interface Stability          │Committed                    │
127       └─────────────────────────────┴─────────────────────────────┘
128

NOTES

138       The functionality described in this man page is available only  if  the
139       Solaris  Auditing  feature  has  been enabled. See bsmconv(1M) for more
140       information.
141
142
143       auditd is loaded in the  global  zone  at  boot  time  if  auditing  is
144       enabled. See bsmconv(1M).
145
146
147       If  the audit policy perzone is set, auditd runs in each zone, starting
148       automatically when the local zone boots. If a zone is running when  the
149       perzone  policy  is  set,  auditing  must  be started manually in local
150       zones. It is not necessary to reboot the system or the  local  zone  to
151       start   auditing   in   a  local  zone.  auditd  can  be  started  with
152       "/usr/sbin/audit -s" and will start automatically with future boots  of
153       the zone.
154
155
156       When  auditd  runs in a local zone, the configuration is taken from the
157       local   zone's   /etc/security   directory's   files:    audit_control,
158       audit_class, audit_user, audit_startup, and audit_event.
159
160
161       Configuration  changes  do not affect audit sessions that are currently
162       running, as the changes do not modify a process's preselection mask. To
163       change  the  preselection  mask on a running process, use the -setpmask
164       option of the auditconfig command (see auditconfig(1M)).  If  the  user
165       logs  out  and  logs  back  in,  the  new configuration changes will be
166       reflected in the next audit session.
167
168
169
170SunOS 5.11                        29 Apr 2008                       auditd(1M)

NAME

SYNOPSIS

DESCRIPTION

FILES

ATTRIBUTES

SEE ALSO

NOTES