auditd man page on SmartOS

Man page or keyword search:  
man Server   16655 pages
apropos Keyword Search (all sections)
Output format
SmartOS logo
[printable version]

AUDITD(1M)							    AUDITD(1M)

       auditd - audit daemon


       The audit daemon, auditd, controls the generation and location of audit
       trail files and the generation of syslog messages based on the  defini‐
       tions  in  audit_control(4).  If	 auditing is enabled, auditd reads the
       audit_control file to do the following:

	   o	  reads the path to a library module for  realtime  conversion
		  of audit data into syslog messages;

	   o	  reads	 other	parameters  specific to the selected plugin or

	   o	  obtains a list of directories into which audit files can  be

	   o	  obtains  the	percentage limit for how much space to reserve
		  on each filesystem before changing to the next directory.

       audit(1M) is used to control auditd. It can cause auditd to:

	   o	  close the current audit file and open a new one;

	   o	  close	  the	current	  audit	  file,	  re-read   /etc/secu‐
		  rity/audit_control and open a new audit file;

	   o	  close the audit trail and terminate auditing.

   Auditing Conditions
       The audit daemon invokes the program audit_warn(1M) under the following
       conditions with the indicated options:

       audit_warn soft pathname

	   The file system upon which pathname resides has exceeded the	 mini‐
	   mum free space limit defined in audit_control(4). A new audit trail
	   has been opened on another file system.

       audit_warn allsoft

	   All available file systems have been filled beyond the minimum free
	   space limit. A new audit trail has been opened anyway.

       audit_warn hard pathname

	   The	file system upon which pathname resides has filled or for some
	   reason become unavailable. A new audit trail	 has  been  opened  on
	   another file system.

       audit_warn allhard count

	   All	available  file	 systems  have	been filled or for some reason
	   become unavailable. The audit  daemon  will	repeat	this  call  to
	   audit_warn  at  intervals  of  at  least twenty seconds until space
	   becomes available. count is the number of times that audit_warn has
	   been called since the problem arose.

       audit_warn ebusy

	   There is already an audit daemon running.

       audit_warn tmpfile

	   The	file  /etc/security/audit/audit_tmp exists, indicating a fatal

       audit_warn nostart

	   The internal system audit condition is AUC_FCHDONE. Auditing cannot
	   be started without rebooting the system.

       audit_warn auditoff

	   The	internal  system  audit	 condition  has been changed to not be
	   AUC_AUDITING by someone other than the audit	 daemon.  This	causes
	   the audit daemon to exit.

       audit_warn postsigterm

	   An  error occurred during the orderly shutdown of the auditing sys‐

       audit_warn getacdir

	   There is a problem  getting	the  directory	list  from  /etc/secu‐

	   The	audit  daemon  will  hang  in  a sleep loop until this file is


       See attributes(5) for descriptions of the following attributes:

       │Interface Stability │ Committed	      │

       audit(1M),  audit_warn(1M),   bsmconv(1M),   praudit(1M),   auditon(2),
       audit.log(4), audit_control(4), attributes(5)

       See  the	 section  on  Solaris Auditing in System Administration Guide:
       Security Services.

       The functionality described in this man page is available only  if  the
       Solaris	Auditing  feature  has	been enabled. See bsmconv(1M) for more

       auditd is loaded in the	global	zone  at  boot	time  if  auditing  is
       enabled.	 See bsmconv(1M).

       If  the audit policy perzone is set, auditd runs in each zone, starting
       automatically when the local zone boots. If a zone is running when  the
       perzone	policy	is  set,  auditing  must  be started manually in local
       zones.  It is not necessary to reboot the system or the local  zone  to
       start   auditing	  in   a  local	 zone.	auditd	can  be	 started  with
       "/usr/sbin/audit -s" and will start automatically with future boots  of
       the zone.

       When  auditd  runs in a local zone, the configuration is taken from the
       local   zone's	/etc/security	directory's   files:	audit_control,
       audit_class, audit_user, audit_startup, and audit_event.

       Configuration  changes  do not affect audit sessions that are currently
       running, as the changes do not modify a process's preselection mask. To
       change  the  preselection  mask on a running process, use the -setpmask
       option of the auditconfig command (see auditconfig(1M)).	 If  the  user
       logs  out  and  logs  back  in,	the  new configuration changes will be
       reflected in the next audit session.

				 Apr 29, 2008			    AUDITD(1M)

List of man pages available for SmartOS

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
Vote for polarhome
Free Shell Accounts :: the biggest list on the net