Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ auditd(8) — OSF/1 3.0 αXP

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

audcntl(2)

audit(7)

audit_setup(8)

auditd(8)  —  Maintenance

NAME

auditd − audit daemon (Enhanced Security)

SYNOPSIS

/usr/sbin/auditd [ options ... ]

DESCRIPTION

The audit daemon, auditd, operates as a server, monitoring /dev/audit for local audit data, monitoring a known port for data from remote cooperating audit daemons, and monitoring an AF_UNIX socket for input from the system administrator. 

Local audit data is read from the /dev/audit device.  Data read from /dev/audit is buffered by the audit daemon, and eventually output into the auditlog when the buffer nears capacity or the daemon receives an explicit instruction from the administrator to flush its buffer. 

Local administrative data is read via the socket /tmp/.audit/audS.  Input from the system administrator allows for changing of the daemon’s configurable options.  The administrator communicates with the audit daemon by executing auditd with the desired options.  The first invocation of auditd spawns the daemon; subsequent invocations detect that an audit daemon already exists and will communicate with it, passing along directions for the selected options.  The first invocation of the daemon also turns on auditing for the system (audcntl(2)).  When the daemon is terminated, by the −k option or the SIGTERM signal, auditing is turned off.  It is important not to have system auditing turned on when there is no audit daemon running on the system (processes being audited will sleep until /dev/audit is read, which is typically done by the audit daemon). 

Remote audit data is first detected when the remote audit daemon attempts to communicate with the local audit daemon.  To establish a communications path between the remote and the local daemons, the remote audit daemon’s hostname is first checked against a list of hosts allowed to transmit data to the local host. This list is maintained in /etc/sec/auditd_clients.  If the remote host is allowed to transfer audit data to the local host, a child audit daemon dedicated to communicating with the remote host is spawned. 

FLAGS

Audit Data and Messages

−c pathnameSets the pathname to which the audit daemon will post any warning or informational messages (such as "audit log change").  This may be either a device or local file. 

−hOutputs a brief help menu. 

−l hostname:
Causes the audit daemon to transfer its audit data to the audit daemon executing on the remote host hostname.  If the remote site stops receiving, the local daemon will store its data locally as specified with the −o and −r options to auditd. 

−l pathnameCauses the audit daemon to output its audit data to the local file pathname. 

−qQueries the audit daemon for the current location of the audit data. 

auditd Control

−d [freq]Causes the audit subsystem to dump its currently buffered audit data (from the kernel and the daemon) out to the configured host or log file.  The audit daemon normally dumps its buffer only when it approaches capacity. 

If a frequency (freq) is specified, the audit daemon dumps its data at the specified frequency. The freq is specified as n[wdhms] for weeks, days, hours, minutes, and seconds.  For example, to dump the audit daemon data every 36 hours use the −d 1d12h option. 

Specifying 0s (zero seconds) disables the previously specified frequency. 

−kKills the audit daemon (killing the local daemon turns audit off). 

−p daemon id
Specifies the id of the audit daemon to receive the current options.  When the local audit daemon accepts a connection to receive data from a remote audit daemon, a dedicated child audit daemon is spawned off from the local audit daemon to service that connection.  With this scenario, multiple audit daemons may exist on a single system. Specifying the id of the auditd allows for communication with one of the child audit daemons.  The id for each daemon can be found by entering the following at the command line:

# /usr/sbin/auditd −w

The previous command line displays the current options.  No id’s are displayed unless at least one child audit daemon exists.  If the −p option is not specified when running with more than one audit daemon, the master daemon (accepting audit data for the local system) handles the request.  When the master daemon is killed, it kills all of its child daemons. 

−rReads a list of directories into which auditd may switch its audit log file when an overflow condition is reached.  The list is maintained in /etc/sec/auditd_loc.  The maximum size of the list (/etc/sec/auditd_loc) is 8 Kbytes.  The −r option is used when the overflow action is set to changeloc (auditd −o changeloc). 

−wShows the current status of the audit daemons options. 

−xAuditlog pathnames are always appended with a suffix consisting of a generation number.  These generation numbers range from 000 to 999.  (Generation numbers may be overridden with an explicit generation number specification on the pathname for the −l option, for example auditlog.345).  The −x option causes a change in auditlog to the next auditlog in the generation number sequence.  (If the current log was auditlog.345, then −x would change the log to auditlog.346).  Whenever an auditlog is closed, it is also compressed (by /usr/ucb/compress). 

Network

−n kbytesSets the size of the audit daemons buffer for the audit data (minimum is 4). 

−sToggles the network server switch.  If on, allows the audit daemon to accept audit data from other audit daemons whose hostnames are specified in the /etc/sec/auditd_clients file. 

−t timeout_value
Sets the timeout value used in establishing initial connections with remote audit daemons.

Overflow Control

−f percentage
Sets the minimum percent free space on the current partition before an overflow condition is triggered.

−o actionSets the action that auditd takes on an overflow condition.  The following actions are available for the −o option:

changelocChange to the next directory or host machine (auditd on the host machine determines the path) as specified in the /etc/sec/auditd_loc file. 

suspendSuspend auditing. 

overwriteOverwrite the current audit log file.  This action causes the loss of previously logged audit data. 

killTerminates the audit daemon. 

haltImmediately halts the system by doing a reboot. 

FILES

/etc/sec/auditd_clients
/etc/sec/auditd_loc

RELATED INFORMATION

audcntl(2), audit(7), audit_setup(8)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026