auditd man page on Ultrix

Man page or keyword search:  
man Server   3690 pages
apropos Keyword Search (all sections)
Output format
Ultrix logo
[printable version]

auditd(8)							     auditd(8)

       auditd - audit daemon

       /etc/sec/auditd [ options ...  ]

       The  audit  daemon,  operates  as  a server, monitoring for local audit
       data, monitoring a known port for data from  remote  cooperating	 audit
       daemons,	 and  monitoring  an  AF_UNIX socket for input from the system

       Local audit data is read from the device.  Data read from  is  buffered
       by  the	audit daemon, and eventually output into the auditlog when the
       buffer nears capacity or the daemon receives  an	 explicit  instruction
       from the administrator to flush its buffer.

       Local  administrative data is read via the socket Input from the system
       administrator allows for changing of the daemon's configurable options.
       The  administrator communicates with the audit daemon by executing with
       the desired options.  The first invocation of spawns the daemon; subse‐
       quent  invocations  detect that an audit daemon already exists and will
       communicate with it, passing along directions for the selected options.
       The  first invocation of the daemon also turns on auditing for the sys‐
       tem ( When the daemon is terminated, by the -k option  or  the  SIGTERM
       signal,	auditing  is  turned  off.  It is important not to have system
       auditing turned on when there is no audit daemon running on the	system
       (processes  being  audited will sleep until is read, which is typically
       done by the audit daemon).

       Remote audit data is  first  detected  when  the	 remote	 audit	daemon
       attempts	 to  communicate  with the local audit daemon.	To establish a
       communications path between the	remote	and  the  local	 daemons,  the
       remote  audit daemons hostname is first checked against a list of hosts
       allowed to transmit data to the local host.  This list is maintained in
       If the remote host is allowed to transfer audit data to the local host,
       a child audit daemon dedicated to communicating with the remote host is

       -a	   Toggle the KERBEROS switch.	If on, KERBEROS authentication
		   routines will be used to verify the identity of  any	 audit
		   daemons attempting to communicate.  This occurs either when
		   sending to a remote host (by the -i	option)	 or  accepting
		   from remote hosts (by the -s option).

       -b alternate_pathname
		   Sets	 the pathname to which the audit daemon will write its
		   data should the location currently  accepting  data	become
		   unavailable.	  This	can happen should the current location
		   specify a remote host which is no longer available, or when
		   the	filesystem of the current location reaches an overflow
		   condition (in this case, the alternate pathname must	 spec‐
		   ify a partition other than the currently overflowing parti‐

       -c pathname Sets the pathname to which the audit daemon will  post  any
		   warning  or	informational  messages	 (such	as  "audit log
		   change").  This may be either a device or local file.

       -d	   Causes the audit daemon  to	dump  its  currently  buffered
		   audit  data out to The audit daemon normally dumps its buf‐
		   fer only when it approaches capacity.

       -f percentage
		   Sets the minimum percent free space on the  current	parti‐
		   tion before an overflow condition is triggered.

       -h	   Outputs a brief help menu.

       -i hostname Causes  the	audit daemon to transfer its audit data to the
		   audit daemon executing on the remote host hostname.	If the
		   remote  site	 stops	receiving, the local daemon will store
		   its data locally (in alternate_pathname if available).

       -k	   Kills the audit daemon  (killing  the  local	 daemon	 turns
		   audit off).

       -l pathname Causes  the	audit  daemon  to output its audit data to the
		   local file pathname.

       -n kbytes   Sets the size of the audit daemons  buffer  for  the	 audit
		   data (minimum is 4).

       -o overflow action
		   Sets	 the  system action to take on a local overflow condi‐
		   tion.  Alternatives are a) use the alternate log  specified
		   via	-b  option,  b)	 shutdown the system, c) switch to the
		   root-mounted filesystem with the most free space,  d)  sus‐
		   pend	 auditing  until space is made available, and e) over‐
		   write the current auditlog.

       -p daemon id
		   Specifies the id of the audit daemon to receive the current
		   options.   When the local audit daemon accepts a connection
		   to receive data from a remote  audit	 daemon,  a  dedicated
		   child audit daemon is spawned off from the local audit dae‐
		   mon to service that connection.  With this scenario, multi‐
		   ple audit daemons may exist on a single system.  Specifying
		   the id of the allows for  communication  with  one  of  the
		   child  audit	 daemons.  The id for each daemon can be found
		   by entering the following at the command line:
		   /etc/sec/auditd -?
		   The previous command line displays the current options.  No
		   id's	 are  displayed unless at least one child audit daemon
		   exists.  If the -p option is	 not  specified	 when  running
		   with more than one audit daemon, the master daemon (accept‐
		   ing audit data for the local system) handles	 the  request.
		   When the master daemon is killed, it kills all of its child

       -q	   Queries the audit daemon for the current  location  of  the
		   audit data.

       -s	   Toggles the network server switch.  If on, allows the audit
		   daemon to accept audit data from other audit daemons	 whose
		   hostnames are specified in the file.

       -t timeout value
		   Sets the timeout value used in establishing initial connec‐
		   tions with remote audit daemons.

       -x	   Auditlog pathnames are always appended with a  suffix  con‐
		   sisting  of	a generation number.  These generation numbers
		   range from 0 to 999.	 (Generation numbers may be overridden
		   via	explicit  generation number specification on the path‐
		   name for the -lfR option, for example  auditlog.345).   The
		   -x  option causes a change in auditlog to the next auditlog
		   in the generation number sequence.  (If the current log was
		   auditlog.345,  then	-x  would  change  the	log  to audit‐
		   log.346).  Whenever an auditlog is closed, it is also  com‐
		   pressed (by

       -z	   Removes any AF_UNIX sockets left by previous daemons.  This
		   occurs when the system shuts down abnormally.  This	option
		   is  useful typically only for the invocation from the file.
		   If no AF_UNIX socket is present,  the  next	invocation  of
		   will	 start	the  daemon.  If an AF_UNIX socket is present,
		   the next invocation of will spawn a	client	process	 which
		   will	 communicate  with  the	 system audit daemon.  This -z
		   option removes any leftover AF_UNIX sockets, forcing a  new
		   audit  daemon  to  start.  This should be used only when no
		   audit daemon is present on the system.

       -?	   Shows the current status of the audit daemons options.

See Also
       audcntl(2), audit(4)


List of man pages available for Ultrix

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
Vote for polarhome
Free Shell Accounts :: the biggest list on the net