Filewatcher File Search File Search
Catalog
Content Search
» » » » » auditd_1.7.13-1+b2_amd64.deb » Content »
pkg://auditd_1.7.13-1+b2_amd64.deb:378280/usr/share/man/man8/  info  control  downloads

auditd - User space tools for security auditing…  more info»

auditd.8.gz

AUDITD(8)          System Administration Utilities         AUDITD(8)



NAME
       auditd - The Linux Audit daemon

SYNOPSIS
       auditd [-f] [-l] [-n] [-s disable|enable|nochange]

DESCRIPTION
       auditd  is the userspace component to the Linux Auditing Sys‐
       tem. It's responsible for writing audit records to the  disk.
       Viewing the logs is done with the ausearch or aureport utili‐
       ties. Configuring the audit rules is done with  the  auditctl
       utility.  During startup, the rules in /etc/audit/audit.rules
       are read by auditctl. The audit daemon itself has  some  con‐
       figuration options that the admin may wish to customize. They
       are found in the auditd.conf file.

OPTIONS
       -f     leave the audit daemon in the  foreground  for  debug‐
              ging. Messages also go to stderr rather than the audit
              log.

       -l     allow the audit daemon to follow symlinks  for  config
              files.

       -n     no fork. This is useful for running off of inittab

       -s=ENABLE_STATE
              specify when starting if auditd should change the cur‐
              rent value for the kernel enabled flag.  Valid  values
              for    ENABLE_STATE   are   "disable",   "enable"   or
              "nochange". The default is to enable (and disable when
              auditd  terminates). The value of the enabled flag may
              be  changed  during  the  lifetime  of  auditd   using
              'auditctl -e'.

SIGNALS
       SIGHUP causes  auditd  to reconfigure. This means that auditd
              re-reads the configuration file. If there are no  syn‐
              tax errors, it will proceed to implement the requested
              changes. If the  reconfigure  is  successful,  a  DAE‐
              MON_CONFIG  event is recorded in the logs. If not suc‐
              cessful,   error    handling    is    controlled    by
              space_left_action,            admin_space_left_action,
              disk_full_action, and disk_error_action parameters  in
              auditd.conf.


       SIGTERM
              caused  auditd to discontinue processing audit events,
              write a shutdown audit event, and exit.


       SIGUSR1
              causes auditd to immediately rotate the logs. It  will
              consult  the  max_log_size_action  to see if it should
              keep the logs or not.


       SIGUSR2
              causes auditd to attemp to  resume  logging.  This  is
              usually used after logging has been suspended.


FILES
       /etc/audit/auditd.conf - configuration file for audit daemon

       /etc/audit/audit.rules - audit rules to be loaded at startup


NOTES
       A  boot  param  of audit=1 should be added to ensure that all
       processes that run before the audit daemon starts  is  marked
       as  auditable  by  the kernel. Not doing that will make a few
       processes impossible to properly audit.

       The audit daemon can receive audit events  from  other  audit
       daemons  via the audisp-remote audispd plugin. The audit dae‐
       mon may be linked with tcp_wrappers to control which machines
       can  connect.  If  this  is the case, you can add an entry to
       hosts.allow and deny.


SEE ALSO
       auditd.conf(5),   audispd(8),    ausearch(8),    aureport(8),
       auditctl(8).


AUTHOR
       Steve Grubb



Red Hat                       Sept 2007                    AUDITD(8)
Results 1 - 1 of 1
Help - FTP Sites List - Software Dir.
Search over 15 billion files
© 1997-2017 FileWatcher.com