auditd



AUDITD:(8)              System Administration Utilities             AUDITD:(8)




NAME

       auditd - The Linux audit daemon


SYNOPSIS

       auditd [ -f ]


DESCRIPTION

       auditd  is  the  userspace component to the Linux Auditing System. It’s
       responsible for writing audit records to the disk. Viewing the logs  is
       done  with  the  ausearch  or aureport utilities. Configuring the audit
       rules is done with the auditctl utility. During startup, the  rules  in
       /etc/audit.rules are read by auditctl. The audit daemon itself has some
       configuration options that the admin may wish to  customize.  They  are
       found in the auditd.conf file.


OPTIONS

       -f     leave the audit daemon in the foreground for debugging. Messages
              also go to stderr rather than the audit log.


SIGNALS

       HUP causes auditd to reconfigure. This means that auditd  re-reads  the
       configuration  file.  If there are no syntax errors, it will proceed to
       implement the requested changes. If the reconfigure  is  successful,  a
       DAEMON_CONFIG  event  is recorded in the logs. If not successful, error
       handling is controlled by  space_left_action,  admin_space_left_action,
       disk_full_action, and disk_error_action parameters in auditd.conf.

       TERM  caused  auditd  to  discontinue  processing audit events, write a
       shutdown audit event, and exit.

       USR1 causes auditd to immediately rotate the logs. It will consult  the
       max_log_size_action to see if it should keep the logs or not.


FILES

       /etc/auditd.conf - configuration file for audit daemon

       /etc/audit.rules - audit rules to be loaded at startup


NOTES

       A  boot  param  of audit=1 should be added to ensure that all processes
       that run before the audit daemon starts is marked as auditable  by  the
       kernel. Not doing that will make a few processes impossible to properly
       audit.


SEE ALSO

       auditd.conf(8), ausearch(8), aureport(8), auditctl(8)



Red Hat                            Nov 2005                         AUDITD:(8)

Man(1) output converted with man2html