Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (OSF1-V5.1-alpha)
Apropos / Subsearch:
optional field

auditd(8)							    auditd(8)


  auditd - Audit daemon


  /usr/sbin/auditd [ options ...  ]


  Audit	Data and Messages

  -c pathname
      Sets the pathname	to which the audit daemon will post any	warning	or
      informational messages (such as "audit log change").  This may be
      either syslog, a device or local file.  By default, messages are logged
      by syslogd to the	daemon.log.

  -h  Outputs a	brief help menu.

  -l hostname:
      Causes the audit daemon to transfer its audit data to the	audit daemon
      executing	on the remote host hostname.  If the remote site stops
      receiving, the local daemon will store its data locally as specified
      with the -o and -r options to auditd.

  -l pathname
      Causes the audit daemon to output	its audit data to the local file

  -q  Queries the audit	daemon for the current location	of the audit data.

  Audit	in a Cluster

      Executes auditd across each active memmber of a cluster.

      The following auditd options are not supported when the -cluster option
      is used:
	   -l hostname:	(-l pathname is	supported)
	   -p, -s, -t, -u, -z

      The auditd options that are supported under -cluster are as follows:
	   -h, -q, -d, -r, -w, -x, -n, -f, -o

	   -c  Each cluster member may write to	the same console file
		or its own syslogd file.

	   -l pathname
		The default audit log pathname is /var/audit/auditlog.hostname.nnn.
		In a cluster, hostname becomes membername.

		If the log file	name does not already include it, each cluster
		member appends dot (.) followed	by the hostname.  This prevents
		file name collisions in	clusters.  Domain names	are removed from
		the host names.

	   -k  Note that a local auditd	must be	running	in order
		to kill	other members of a cluster.

  Audit	Control

  -d [freq]
      Causes the audit subsystem to dump its currently buffered	audit data
      (from the	kernel and the daemon) out to the configured host or log
      file.  The audit daemon normally dumps its buffer	only when it
      approaches capacity.

      If a frequency (freq) is specified, the audit daemon dumps its data at
      the specified frequency. The freq	is specified as	n[wdhms] for weeks,
      days, hours, minutes, and	seconds.  For example, to dump the audit dae-
      mon data every 36	hours use the -d 1d12h option.

      Specifying 0s (zero seconds) disables the	previously specified fre-

  -k  Terminates the audit daemon (terminating the local daemon	turns audit

  -p daemon id
      Specifies	the ID of the audit daemon to receive the current options.
      When the local audit daemon accepts a connection to receive data from a
      remote audit daemon, a dedicated child audit daemon is spawned off from
      the local	audit daemon to	service	that connection.  With this scenario,
      multiple audit daemons may exist on a single system.  Specifying the ID
      of the auditd allows for communication with one of the child audit dae-
      mons.  The ID for	each daemon can	be found by entering the following at
      the command line:

	   # /usr/sbin/auditd -w

      The previous command line	displays the current options. No IDs are
      displayed	unless at least	one child audit	daemon exists. If the -p
      option is	not specified when running with	more than one audit daemon,
      the master daemon	(accepting audit data for the local system) handles
      the request.  When the master daemon is terminated, it terminates	all
      of its child daemons.

  -r  Reads a list of directories into which auditd may	switch its audit log
      file when	an overflow condition is reached.  The list is maintained in
      /etc/sec/auditd_loc.  The	maximum	size of	the list
      (/etc/sec/auditd_loc) is 8 Kbytes.  The -r option	is used	when the
      overflow action is set to	changeloc (auditd -o changeloc).

  -w  Shows the	current	status of the audit daemons options.

  -x  Auditlog pathnames are always appended with a suffix consisting of a
      generation number.  These	generation numbers range from 000 to 999.
      (Generation numbers may be overridden with an explicit generation
      number specification on the pathname for the -l option, for example
      auditlog.hostname.345). The -x option causes a change in auditlog	to
      the next auditlog	in the generation number sequence.  (If	the current
      log was auditlog.hostname.345, then -x would change the log to
      auditlog.hostname.346).  Whenever	an auditlog is closed, it is also
      compressed (by /usr/ucb/compress).

  -z  This option is used to start the audit daemon server on a	system not
      configured for audit.

      The -z option removes any	AF_UNIX	sockets	left by	previous daemons.
      This situation can occur when the	system shuts down abnormally.  If no
      AF_UNIX socket is	present, the next invocation of	auditd will start the
      audit daemon.  If	an AF_UNIX socket is present, the next invocation of
      auditd spawns a client process which communicates	with the system	audit
      daemon.  This -z option should be	used only when no audit	daemon is
      present on the system.


  -n kbytes
      Sets the size of the audit daemons buffer	for the	audit data (minimum
      is 4).

  -s  Toggles the network server switch.  If on, allows	the audit daemon to
      accept audit data	from other audit daemons whose host names are speci-
      fied in the /etc/sec/auditd_clients file.

  -t timeout_value
      Sets the timeout value used in establishing initial connections with
      remote audit daemons.

  -u  Instructs	the client audit daemon	to not require acknowledgement from
      the server (machine collecting audit data) for the reciept of audit
      data sent	over the network.  The -u option is used for compatibility
      with servers that	are running versions of	DIGITAL	UNIX prior to Version

  Overflow Control

  -f percentage
      Sets the minimum percent free space on the current partition before an
      overflow condition is triggered.

  -o action
      Sets the action that auditd takes	on an overflow condition.  The fol-
      lowing actions are available for the -o option:

	  Change to the	next directory or host machine (auditd on the host
	  machine determines the path) as specified in the
	  /etc/sec/auditd_loc file.

	  Suspend auditing.

	  Overwrite the	current	audit log file.	 This action causes the	loss
	  of previously	logged audit data.

	  Terminates the audit daemon.

	  Immediately halts the	system by doing	a reboot.


  The audit daemon, auditd, operates as	a server, monitoring /dev/audit	for
  local	audit data, monitoring a known port for	data from remote cooperating
  audit	daemons, and monitoring	an AF_UNIX socket for input from the system

  Local	audit data is shared with the /dev/audit device, and eventually	is
  sent to the auditlog when the	buffer nears capacity or the daemon receives
  an explicit instruction from the administrator to flush its buffer.

  Local	administrative data is read via	the socket /dev/.audit/audS.  Input
  from the system administrator	allows for changing of the daemon's configur-
  able options.	 The administrator communicates	with the audit daemon by exe-
  cuting auditd	with the desired options.  The first invocation	of auditd
  spawns the daemon; subsequent	invocations detect that	an audit daemon
  already exists and will communicate with it, passing along directions	for
  the selected options.	 The first invocation of the daemon also turns on
  auditing for the system (audcntl(2)).	 When the daemon is terminated,	by
  the -k option	or the SIGTERM signal, auditing	is turned off.	It is impor-
  tant not to have system auditing turned on when there	is no audit daemon
  running on the system	(processes being audited will sleep on resources
  under	control	of the audit system).

  Remote audit data is first detected when a client (remote) audit daemon
  attempts to communicate with the server (local) audit	daemon.	 To establish
  a communications path	between	the client and the server daemons, the
  client's host	name is	first checked against a	list of	hosts allowed to
  transmit data	to the server. This list is maintained on the server in
  /etc/sec/auditd_clients.  If the client is allowed to	transfer audit data
  to the server, a child audit daemon dedicated	to communicating with that
  client is spawned.

  Any data transferred from the	client to the server is	acknowledged (ack'ed)
  by the server.  If the data transfer fails, the client follows its "over-
  flow"	option.	 For communication with	servers	on systems prior to Version
  4.0D,	the client must	use the	-u option, because data	acknowledgment was
  not used on earlier systems.

  The audit daemon can be terminated by	using either of	the following com-

       # rcmgr -c delete AIDITMASK_FLAG
       # rcmgr -c delete AIDITD_FLAG


       # auditmask [-cluster] -n
       # auditd	[-cluster] -dk

  Running auditd in a Cluster

  The auditd daemon runs on each member	of a cluster and logs to a common
  /var/audit directory by default.  Audit log files now	include	the host name
  to prevent file name overlap.	 The -cluster option can be used to modify
  each active member of	a cluster.  Restrictions are noted in the -cluster
  flag's description.  When reading a file with	the -cluster opton, make sure
  the file is visible to each cluster member.







  Commands: auditconfig(8)

  Functions: audcntl(2)

  Files: audit(7)