SGI Techpubs Library

Linux  »  Man Pages
find in page



       auditd [OPTION]...


       Auditd collects audit records generated by the kernel system call audit
       mechanism, and writes them to disk.

       It supports several log destination types: file mode,  streaming  mode,
       and  binfile  mode.  One  or more log destinations can be configured in

   File Mode
       In file mode, data is written pretty much the same  way  as  syslogd(8)
       does, i.e. records are appended to a file that is allowed to grow arbi-
       trarily until culled by the administrator.  Culling may  happen  either
       by  truncating  the  file, or by moving it aside and sending the daemon
       the hangup signal (SIGHUP).

       If any error occurs when writing to the file, auditd will go into error
       mode.  Depending  on  the  configuration,  auditd can perform different
       actions in response to an error, ranging from totally  ignoring  it  to
       halting the system.

       If  no log destinations are specified in auditd.conf, file mode will be
       used to write the audit trail to /var/log/audit.

   Streaming Mode
       Streaming mode is pretty much like file mode, except that data is  sent
       to  an external command on standard input. This allows forwarding audit
       data to other hosts via arbitrary mechanisms (including  stunnel,  ssh,

   Bin Mode
       In  this  mode,  data  is  sent  to  two or more "bin files" (bin as in
       bucket, not as an abbreviation for binary). These files are pre-created
       with  a  fixed  size,  and  auditd  writes to these files in turn. When
       reaching the end of one file, it  switches  to  the  next,  and  having
       reached  the last file it starts over at the beginning, zeroing out any
       previous audit records in that file.

       The advantage of bin mode is that the audit  daemon  will  never  stop,
       waiting  for  the adminstrator to provide additional file system space.
       The obvious disadvantage however is that older audit  records  will  be
       overwritten at some point in time.

       Therefore, a bin processing command can be specified. This command will
       be invoked by auditd with the name of the bin file as argument. If  the
       command  terminates other than with an exit status of 0, auditd will go
       into error handling mode.

       In bin mode, it is advisable to have several medium sized files  rather
       than two huge files, because auditd will zero a file before starting to
       write new audit records to it.

   Error Handling
       When auditd encounters an error while writing to a file, or if the  bin


       This is the list of options recognized by auditd.

       -r     Reload the system call filters in the kernel without  interrupt-
              ing  collection  of audit events. This is better than restarting
              the daemon, because no audit events will be  lost.  (Note:  This
              just reloads the filter-rules not the whole configuration of the

       -F     Run in foreground, and log all error diagnostics and debug  mes-
              sages to standard error rather than to syslog.

       -d     Enable  debugging  messages.  Specifying  this option repeatedly
              will increase verbosity.


       /sbin/auditd - audit daemon

       /etc/audit/audit.conf - default daemon configuration

       /etc/audit/filter.conf - default filter configuration


       laus(7), audit(4), auditd.conf(5), aucat(8), augrep(8).


       auditd was written by Olaf Kirch <>

                                  21 May 2003                        auditd(8)

Output converted with man2html

home/search | what's new | help