auditd man page on SunOS

Man page or keyword search:  
man Server   20652 pages
apropos Keyword Search (all sections)
Output format
SunOS logo
[printable version]

auditd(1M)		System Administration Commands		    auditd(1M)

NAME
       auditd - audit daemon

SYNOPSIS
       /usr/sbin/auditd

DESCRIPTION
       The audit daemon, auditd, controls the generation and location of audit
       trail files and the generation of syslog messages based on the  defini‐
       tions  in  audit_control(4).  If	 auditing is enabled, auditd reads the
       audit_control(4) file to do the following:

	   o	  reads the path to a library module for  realtime  conversion
		  of audit data into syslog messages;

	   o	  reads	 other	parameters  specific to the selected plugin or
		  plugins;

	   o	  obtains a list of directories into which audit files can  be
		  written;

	   o	  obtains  the	percentage limit for how much space to reserve
		  on each filesystem before changing to the next directory.

       audit(1M) is used to control auditd. It can cause auditd to:

	   o	  close the current audit file and open a new one;

	   o	  close	  the	current	  audit	  file,	  re-read   /etc/secu‐
		  rity/audit_control and open a new audit file;

	   o	  close the audit trail and terminate auditing.

   Auditing Conditions
       The audit daemon invokes the program audit_warn(1M) under the following
       conditions with the indicated options:

       audit_warn soft pathname

	   The file system upon which pathname resides has exceeded the	 mini‐
	   mum	free  space  limit  defined  in audit_control(4).  A new audit
	   trail has been opened on another file system.

       audit_warn allsoft

	   All available file systems have been filled beyond the minimum free
	   space limit. A new audit trail has been opened anyway.

       audit_warn hard pathname

	   The	file system upon which pathname resides has filled or for some
	   reason become unavailable. A new audit trail	 has  been  opened  on
	   another file system.

       audit_warn allhard count

	   All	available  file	 systems  have	been filled or for some reason
	   become unavailable. The audit  daemon  will	repeat	this  call  to
	   audit_warn  at  intervals  of  at  least twenty seconds until space
	   becomes available. count is the number of times that audit_warn has
	   been called since the problem arose.

       audit_warn ebusy

	   There is already an audit daemon running.

       audit_warn tmpfile

	   The	file  /etc/security/audit/audit_tmp exists, indicating a fatal
	   error.

       audit_warn nostart

	   The internal system audit condition is AUC_FCHDONE. Auditing cannot
	   be started without rebooting the system.

       audit_warn auditoff

	   The	internal  system  audit	 condition  has been changed to not be
	   AUC_AUDITING by someone other than the audit	 daemon.  This	causes
	   the audit daemon to exit.

       audit_warn postsigterm

	   An  error occurred during the orderly shutdown of the auditing sys‐
	   tem.

       audit_warn getacdir

	   There is a problem  getting	the  directory	list  from  /etc/secu‐
	   rity/audit/audit_control.

	   The	audit  daemon  will  hang  in  a sleep loop until this file is
	   fixed.

FILES
       /etc/security/audit/audit_control

       /etc/security/audit/audit_data

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       ┌─────────────────────────────┬─────────────────────────────┐
       │      ATTRIBUTE TYPE	     │	    ATTRIBUTE VALUE	   │
       ├─────────────────────────────┼─────────────────────────────┤
       │Availability		     │SUNWcsu			   │
       ├─────────────────────────────┼─────────────────────────────┤
       │Interface Stability	     │Evolving			   │
       └─────────────────────────────┴─────────────────────────────┘

SEE ALSO
       audit(1M),  audit_warn(1M),   bsmconv(1M),   praudit(1M),   auditon(2),
       auditsvc(2),	audit.log(4),	  audit_control(4),	audit_data(4),
       attributes(5)

       See the section on Solaris Auditing  in	System	Administration	Guide:
       Security Services.

NOTES
       The  functionality  described in this man page is available only if the
       Solaris Auditing feature has been enabled.  See	bsmconv(1M)  for  more
       information.

       auditd  is  loaded  in  the  global  zone  at  boot time if auditing is
       enabled. See bsmconv(1M).

       If the audit policy perzone is set, auditd runs in each zone,  starting
       automatically  when the local zone boots. If a zone is running when the
       perzone policy is set, auditing	must  be  started  manually  in	 local
       zones.  It  is  not necessary to reboot the system or the local zone to
       start  auditing	in  a  local  zone.  auditd  can   be	started	  with
       "/usr/sbin/audit	 -s" and will start automatically with future boots of
       the zone.

       When auditd runs in a local zone, the configuration is taken  from  the
       local	zone's	 /etc/security	 directory's   files:	audit_control,
       audit_class, audit_user, audit_startup, and audit_event.

       Configuration changes do not affect audit sessions that	are  currently
       running, as the changes do not modify a process's preselection mask. To
       change the preselection mask on a running process,  use	the  -setpmask
       option  of  the	auditconfig command (see auditconfig(1M)). If the user
       logs out and logs back  in,  the	 new  configuration  changes  will  be
       reflected in the next audit session.

SunOS 5.10			  8 May 2008			    auditd(1M)
[top]

List of man pages available for SunOS

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net