Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   3690 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

auditd(8)							     auditd(8)

Name
       auditd - audit daemon

Syntax
       /etc/sec/auditd [ options ...  ]

Description
       The  audit  daemon,  operates  as  a server, monitoring for local audit
       data, monitoring a known port for data from  remote  cooperating	 audit
       daemons,	 and  monitoring  an  AF_UNIX socket for input from the system
       administrator.

       Local audit data is read from the device.  Data read from  is  buffered
       by  the	audit daemon, and eventually output into the auditlog when the
       buffer nears capacity or the daemon receives  an	 explicit  instruction
       from the administrator to flush its buffer.

       Local  administrative data is read via the socket Input from the system
       administrator allows for changing of the daemon's configurable options.
       The  administrator communicates with the audit daemon by executing with
       the desired options.  The first invocation of spawns the daemon; subse‐
       quent  invocations  detect that an audit daemon already exists and will
       communicate with it, passing along directions for the selected options.
       The  first invocation of the daemon also turns on auditing for the sys‐
       tem ( When the daemon is terminated, by the -k option  or  the  SIGTERM
       signal,	auditing  is  turned  off.  It is important not to have system
       auditing turned on when there is no audit daemon running on the	system
       (processes  being  audited will sleep until is read, which is typically
       done by the audit daemon).

       Remote audit data is  first  detected  when  the	 remote	 audit	daemon
       attempts	 to  communicate  with the local audit daemon.	To establish a
       communications path between the	remote	and  the  local	 daemons,  the
       remote  audit daemons hostname is first checked against a list of hosts
       allowed to transmit data to the local host.  This list is maintained in
       If the remote host is allowed to transfer audit data to the local host,
       a child audit daemon dedicated to communicating with the remote host is
       spawned.

Options
       -a	   Toggle the KERBEROS switch.	If on, KERBEROS authentication
		   routines will be used to verify the identity of  any	 audit
		   daemons attempting to communicate.  This occurs either when
		   sending to a remote host (by the -i	option)	 or  accepting
		   from remote hosts (by the -s option).

       -b alternate_pathname
		   Sets	 the pathname to which the audit daemon will write its
		   data should the location currently  accepting  data	become
		   unavailable.	  This	can happen should the current location
		   specify a remote host which is no longer available, or when
		   the	filesystem of the current location reaches an overflow
		   condition (in this case, the alternate pathname must	 spec‐
		   ify a partition other than the currently overflowing parti‐
		   tion).

       -c pathname Sets the pathname to which the audit daemon will  post  any
		   warning  or	informational  messages	 (such	as  "audit log
		   change").  This may be either a device or local file.

       -d	   Causes the audit daemon  to	dump  its  currently  buffered
		   audit  data out to The audit daemon normally dumps its buf‐
		   fer only when it approaches capacity.

       -f percentage
		   Sets the minimum percent free space on the  current	parti‐
		   tion before an overflow condition is triggered.

       -h	   Outputs a brief help menu.

       -i hostname Causes  the	audit daemon to transfer its audit data to the
		   audit daemon executing on the remote host hostname.	If the
		   remote  site	 stops	receiving, the local daemon will store
		   its data locally (in alternate_pathname if available).

       -k	   Kills the audit daemon  (killing  the  local	 daemon	 turns
		   audit off).

       -l pathname Causes  the	audit  daemon  to output its audit data to the
		   local file pathname.

       -n kbytes   Sets the size of the audit daemons  buffer  for  the	 audit
		   data (minimum is 4).

       -o overflow action
		   Sets	 the  system action to take on a local overflow condi‐
		   tion.  Alternatives are a) use the alternate log  specified
		   via	-b  option,  b)	 shutdown the system, c) switch to the
		   root-mounted filesystem with the most free space,  d)  sus‐
		   pend	 auditing  until space is made available, and e) over‐
		   write the current auditlog.

       -p daemon id
		   Specifies the id of the audit daemon to receive the current
		   options.   When the local audit daemon accepts a connection
		   to receive data from a remote  audit	 daemon,  a  dedicated
		   child audit daemon is spawned off from the local audit dae‐
		   mon to service that connection.  With this scenario, multi‐
		   ple audit daemons may exist on a single system.  Specifying
		   the id of the allows for  communication  with  one  of  the
		   child  audit	 daemons.  The id for each daemon can be found
		   by entering the following at the command line:
		   /etc/sec/auditd -?
		   The previous command line displays the current options.  No
		   id's	 are  displayed unless at least one child audit daemon
		   exists.  If the -p option is	 not  specified	 when  running
		   with more than one audit daemon, the master daemon (accept‐
		   ing audit data for the local system) handles	 the  request.
		   When the master daemon is killed, it kills all of its child
		   daemons.

       -q	   Queries the audit daemon for the current  location  of  the
		   audit data.

       -s	   Toggles the network server switch.  If on, allows the audit
		   daemon to accept audit data from other audit daemons	 whose
		   hostnames are specified in the file.

       -t timeout value
		   Sets the timeout value used in establishing initial connec‐
		   tions with remote audit daemons.

       -x	   Auditlog pathnames are always appended with a  suffix  con‐
		   sisting  of	a generation number.  These generation numbers
		   range from 0 to 999.	 (Generation numbers may be overridden
		   via	explicit  generation number specification on the path‐
		   name for the -lfR option, for example  auditlog.345).   The
		   -x  option causes a change in auditlog to the next auditlog
		   in the generation number sequence.  (If the current log was
		   auditlog.345,  then	-x  would  change  the	log  to audit‐
		   log.346).  Whenever an auditlog is closed, it is also  com‐
		   pressed (by

       -z	   Removes any AF_UNIX sockets left by previous daemons.  This
		   occurs when the system shuts down abnormally.  This	option
		   is  useful typically only for the invocation from the file.
		   If no AF_UNIX socket is present,  the  next	invocation  of
		   will	 start	the  daemon.  If an AF_UNIX socket is present,
		   the next invocation of will spawn a	client	process	 which
		   will	 communicate  with  the	 system audit daemon.  This -z
		   option removes any leftover AF_UNIX sockets, forcing a  new
		   audit  daemon  to  start.  This should be used only when no
		   audit daemon is present on the system.

       -?	   Shows the current status of the audit daemons options.

Files
See Also
       audcntl(2), audit(4)

								     auditd(8)

Vote for polarhome