Filewatcher File Search File Search
Content Search
» » » » » auditd_1.7.13-1+b2_amd64.deb » Content »
pkg://auditd_1.7.13-1+b2_amd64.deb:378280/usr/share/man/man8/  info  control  downloads

auditd - User space tools for security auditing…  more info»


AUDITD(8)          System Administration Utilities         AUDITD(8)

       auditd - The Linux Audit daemon

       auditd [-f] [-l] [-n] [-s disable|enable|nochange]

       auditd  is the userspace component to the Linux Auditing Sys‐
       tem. It's responsible for writing audit records to the  disk.
       Viewing the logs is done with the ausearch or aureport utili‐
       ties. Configuring the audit rules is done with  the  auditctl
       utility.  During startup, the rules in /etc/audit/audit.rules
       are read by auditctl. The audit daemon itself has  some  con‐
       figuration options that the admin may wish to customize. They
       are found in the auditd.conf file.

       -f     leave the audit daemon in the  foreground  for  debug‐
              ging. Messages also go to stderr rather than the audit

       -l     allow the audit daemon to follow symlinks  for  config

       -n     no fork. This is useful for running off of inittab

              specify when starting if auditd should change the cur‐
              rent value for the kernel enabled flag.  Valid  values
              for    ENABLE_STATE   are   "disable",   "enable"   or
              "nochange". The default is to enable (and disable when
              auditd  terminates). The value of the enabled flag may
              be  changed  during  the  lifetime  of  auditd   using
              'auditctl -e'.

       SIGHUP causes  auditd  to reconfigure. This means that auditd
              re-reads the configuration file. If there are no  syn‐
              tax errors, it will proceed to implement the requested
              changes. If the  reconfigure  is  successful,  a  DAE‐
              MON_CONFIG  event is recorded in the logs. If not suc‐
              cessful,   error    handling    is    controlled    by
              space_left_action,            admin_space_left_action,
              disk_full_action, and disk_error_action parameters  in

              caused  auditd to discontinue processing audit events,
              write a shutdown audit event, and exit.

              causes auditd to immediately rotate the logs. It  will
              consult  the  max_log_size_action  to see if it should
              keep the logs or not.

              causes auditd to attemp to  resume  logging.  This  is
              usually used after logging has been suspended.

       /etc/audit/auditd.conf - configuration file for audit daemon

       /etc/audit/audit.rules - audit rules to be loaded at startup

       A  boot  param  of audit=1 should be added to ensure that all
       processes that run before the audit daemon starts  is  marked
       as  auditable  by  the kernel. Not doing that will make a few
       processes impossible to properly audit.

       The audit daemon can receive audit events  from  other  audit
       daemons  via the audisp-remote audispd plugin. The audit dae‐
       mon may be linked with tcp_wrappers to control which machines
       can  connect.  If  this  is the case, you can add an entry to
       hosts.allow and deny.

       auditd.conf(5),   audispd(8),    ausearch(8),    aureport(8),

       Steve Grubb

Red Hat                       Sept 2007                    AUDITD(8)
Results 1 - 1 of 1
Help - FTP Sites List - Software Dir.
Search over 15 billion files
© 1997-2017