Linux » Man Pages
find in page
Auditd collects audit records generated by the kernel system call audit
mechanism, and writes them to disk.
It supports several log destination types: file mode, streaming mode,
and binfile mode. One or more log destinations can be configured in
In file mode, data is written pretty much the same way as syslogd(8)
does, i.e. records are appended to a file that is allowed to grow arbi-
trarily until culled by the administrator. Culling may happen either
by truncating the file, or by moving it aside and sending the daemon
the hangup signal (SIGHUP).
If any error occurs when writing to the file, auditd will go into error
mode. Depending on the configuration, auditd can perform different
actions in response to an error, ranging from totally ignoring it to
halting the system.
If no log destinations are specified in auditd.conf, file mode will be
used to write the audit trail to /var/log/audit.
Streaming mode is pretty much like file mode, except that data is sent
to an external command on standard input. This allows forwarding audit
data to other hosts via arbitrary mechanisms (including stunnel, ssh,
In this mode, data is sent to two or more "bin files" (bin as in
bucket, not as an abbreviation for binary). These files are pre-created
with a fixed size, and auditd writes to these files in turn. When
reaching the end of one file, it switches to the next, and having
reached the last file it starts over at the beginning, zeroing out any
previous audit records in that file.
The advantage of bin mode is that the audit daemon will never stop,
waiting for the adminstrator to provide additional file system space.
The obvious disadvantage however is that older audit records will be
overwritten at some point in time.
Therefore, a bin processing command can be specified. This command will
be invoked by auditd with the name of the bin file as argument. If the
command terminates other than with an exit status of 0, auditd will go
into error handling mode.
In bin mode, it is advisable to have several medium sized files rather
than two huge files, because auditd will zero a file before starting to
write new audit records to it.
When auditd encounters an error while writing to a file, or if the bin
This is the list of options recognized by auditd.
-r Reload the system call filters in the kernel without interrupt-
ing collection of audit events. This is better than restarting
the daemon, because no audit events will be lost. (Note: This
just reloads the filter-rules not the whole configuration of the
-F Run in foreground, and log all error diagnostics and debug mes-
sages to standard error rather than to syslog.
-d Enable debugging messages. Specifying this option repeatedly
will increase verbosity.
/sbin/auditd - audit daemon
/etc/audit/audit.conf - default daemon configuration
/etc/audit/filter.conf - default filter configuration
laus(7), audit(4), auditd.conf(5), aucat(8), augrep(8).
auditd was written by Olaf Kirch <firstname.lastname@example.org>
21 May 2003 auditd(8)
Output converted with
what's new |