auditd man page on DigitalUNIX

Man page or keyword search:  
man Server   12896 pages
apropos Keyword Search (all sections)
Output format
DigitalUNIX logo
[printable version]

auditd(8)							     auditd(8)

       auditd - Audit daemon

       /usr/sbin/auditd [options...]

   Audit Data and Messages
       Sets  the  pathname  to which the audit daemon will post any warning or
       informational messages (such as "audit log change"). This may be either
       syslog, a device or local file. By default, messages are logged by sys‐
       logd to the daemon.log.	Outputs a brief help menu.  Causes  the	 audit
       daemon  to transfer its audit data to the audit daemon executing on the
       remote host hostname.  If the remote site stops	receiving,  the	 local
       daemon  will  store  its	 data  locally as specified with the -o and -r
       options to auditd.  Causes the audit daemon to output its audit data to
       the  local  file	 pathname.   Queries  the audit daemon for the current
       location of the audit data.

   Audit in a Cluster
       Executes auditd across each active memmber of a cluster. The  following
       auditd options are not supported when the -cluster option is used:

	      -l hostname: (-l pathname is supported) -p, -s, -t, -u, -z

	      The auditd options that are supported under -cluster are as fol‐
	      lows: -h, -q, -d, -r, -w, -x, -n, -f,  -o,  and  the  following:
	      Each  cluster  member  may write to the same console file or its
	      own  syslogd  file.   The	 default   audit   log	 pathname   is
	      /var/audit/auditlog.hostname.nnn.	   In	a   cluster,  hostname
	      becomes membername.

	      If the log file name does not already include it,	 each  cluster
	      member  appends dot (.) followed by the hostname.	 This prevents
	      file name collisions in clusters.	 Domain names are removed from
	      the  host	 names.	  Note	that a local auditd must be running in
	      order to kill other members of a cluster.

   Audit Control
       Causes the audit subsystem to dump its currently	 buffered  audit  data
       (from  the  kernel  and	the  daemon) out to the configured host or log
       file.  The  audit  daemon  normally  dumps  its	buffer	only  when  it
       approaches capacity.

	      If  a  frequency (freq) is specified, the audit daemon dumps its
	      data at the  specified  frequency.  The  freq  is	 specified  as
	      n[wdhms] for weeks, days, hours, minutes, and seconds. For exam‐
	      ple, to dump the audit daemon data every 36  hours  use  the  -d
	      1d12h option.

	      Specifying  0s  (zero seconds) disables the previously specified
	      frequency.  Terminates the audit daemon (terminating  the	 local
	      daemon  turns  audit off).  Specifies the ID of the audit daemon
	      to receive the current options.  When  the  local	 audit	daemon
	      accepts a connection to receive data from a remote audit daemon,
	      a dedicated child audit daemon is spawned	 off  from  the	 local
	      audit  daemon  to	 service that connection.  With this scenario,
	      multiple audit daemons may exist on a single system.  Specifying
	      the  ID  of  the auditd allows for communication with one of the
	      child audit daemons.  The ID for each daemon  can	 be  found  by
	      entering	the  following at the command line: # /usr/sbin/auditd

	      The previous command line displays the current options.  No  IDs
	      are  displayed unless at least one child audit daemon exists. If
	      the -p option is not specified when running with more  than  one
	      audit  daemon,  the  master daemon (accepting audit data for the
	      local system) handles the request.  When the  master  daemon  is
	      terminated,  it  terminates  all	of its child daemons.  Reads a
	      list of directories into which auditd may switch its  audit  log
	      file  when  an  overflow condition is reached. The list is main‐
	      tained in /etc/sec/auditd_loc. The  maximum  size	 of  the  list
	      (/etc/sec/auditd_loc)  is	 8  Kbytes. The -r option is used when
	      the overflow action is set to changeloc (auditd  -o  changeloc).
	      Shows the current status of the audit daemons options.  Auditlog
	      pathnames are always appended with a suffix consisting of a gen‐
	      eration number.  These generation numbers range from 000 to 999.
	      (Generation numbers may be overridden with an  explicit  genera‐
	      tion number specification on the pathname for the -l option, for
	      example auditlog.hostname.345).  The -x option causes  a	change
	      in  auditlog  to	the  next  auditlog  in	 the generation number
	      sequence.	 (If the current log was  auditlog.hostname.345,  then
	      -x  would	 change the log to auditlog.hostname.346). Whenever an
	      auditlog is closed, it  is  also	compressed  (by	 /usr/ucb/com‐
	      press).  This option is used to start the audit daemon server on
	      a system not configured for audit. The  -z  option  removes  any
	      AF_UNIX  sockets	left  by  previous daemons. This situation can
	      occur when the system  shuts  down  abnormally.  If  no  AF_UNIX
	      socket  is present, the next invocation of auditd will start the
	      audit daemon.  If an AF_UNIX socket is present, the next invoca‐
	      tion  of	auditd spawns a client process which communicates with
	      the system audit daemon. This -z option should be used only when
	      no audit daemon is present on the system.

       Sets  the  size of the audit daemons buffer for the audit data (minimum
       is 4).  Toggles the network server switch.  If  on,  allows  the	 audit
       daemon  to  accept audit data from other audit daemons whose host names
       are specified in the /etc/sec/auditd_clients file.   Sets  the  timeout
       value  used  in establishing initial connections with remote audit dae‐
       mons.  Instructs the client audit daemon to not require acknowledgement
       from  the  server  (machine  collecting	audit data) for the reciept of
       audit data sent over the network. The -u option is used for compatibil‐
       ity  with servers that are running versions of Tru64 UNIX prior to Ver‐
       sion 4.0D.

   Overflow Control
       Sets the minimum percent free space on the current partition before  an
       overflow	 condition is triggered.  Sets the action that auditd takes on
       an overflow condition. The following actions are available for  the  -o
       option:	Change	to  the	 next directory or host machine (auditd on the
       host   machine	determines   the   path)   as	specified    in	   the
       /etc/sec/auditd_loc  file.   Suspend  auditing.	 Overwrite the current
       audit log file. This action causes the loss of previously logged	 audit
       data.   Terminates  the	audit daemon.  Immediately halts the system by
       doing a reboot.

       The audit daemon, auditd, operates as a server,	monitoring  /dev/audit
       for  local  audit  data,	 monitoring  a known port for data from remote
       cooperating audit daemons, and monitoring an AF_UNIX socket  for	 input
       from the system administrator.

       Local  audit  data is shared with the /dev/audit device, and eventually
       is sent to the auditlog when the buffer nears capacity  or  the	daemon
       receives	 an  explicit  instruction from the administrator to flush its

       Local administrative data is  read  via	the  socket  /dev/.audit/audS.
       Input from the system administrator allows for changing of the daemon's
       configurable options.  The administrator communicates  with  the	 audit
       daemon by executing auditd with the desired options.  The first invoca‐
       tion of auditd spawns the daemon; subsequent invocations detect that an
       audit daemon already exists and will communicate with it, passing along
       directions for the selected options.  The first invocation of the  dae‐
       mon  also turns on auditing for the system (audcntl(2)).	 When the dae‐
       mon is terminated, by the -k option or the SIGTERM signal, auditing  is
       turned  off. It is important not to have system auditing turned on when
       there is no audit daemon running on the system (processes being audited
       will sleep on resources under control of the audit system).

       Remote audit data is first detected when a client (remote) audit daemon
       attempts to communicate with the server (local) audit daemon. To estab‐
       lish  a	communications path between the client and the server daemons,
       the client's host name is first checked against a list of hosts allowed
       to  transmit  data to the server. This list is maintained on the server
       in /etc/sec/auditd_clients. If the client is allowed to transfer	 audit
       data  to	 the  server,  a child audit daemon dedicated to communicating
       with that client is spawned.

       Any data transferred from the client  to	 the  server  is  acknowledged
       (ack'ed)	 by the server. If the data transfer fails, the client follows
       its "overflow" option. For communication with servers on systems	 prior
       to  Version  4.0D,  the	client	must  use  the -u option, because data
       acknowledgment was not used on earlier systems.

       The audit daemon can be terminated by using  either  of	the  following

       # rcmgr -c delete AIDITMASK_FLAG # rcmgr -c delete AIDITD_FLAG


       # auditmask [-cluster] -n # auditd [-cluster] -dk

   Running auditd in a Cluster
       The auditd daemon runs on each member of a cluster and logs to a common
       /var/audit directory by default.	 Audit log files now include the  host
       name  to	 prevent file name overlap. The -cluster option can be used to
       modify each active member of a cluster.	Restrictions are noted in  the
       -cluster	 flag's	 description.	When  reading a file with the -cluster
       opton, make sure the file is visible to each cluster member.





       Commands: auditconfig(8)

       Functions: audcntl(2)

       Files: audit(7)


List of man pages available for DigitalUNIX

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
Vote for polarhome
Free Shell Accounts :: the biggest list on the net