auditd - Audit daemon
/usr/sbin/auditd [options...]
Audit Data and Messages
Sets the pathname to which the audit daemon will post any
warning or informational messages (such as "audit log
change"). This may be either syslog, a device or local
file. By default, messages are logged by syslogd to the
daemon.log. Outputs a brief help menu. Causes the audit
daemon to transfer its audit data to the audit daemon executing
on the remote host hostname. If the remote site
stops receiving, the local daemon will store its data
locally as specified with the -o and -r options to auditd.
Causes the audit daemon to output its audit data to the
local file pathname. Queries the audit daemon for the
current location of the audit data.
Audit in a Cluster [Toc] [Back]
Executes auditd across each active memmber of a cluster.
The following auditd options are not supported when the
-cluster option is used:
-l hostname: (-l pathname is supported) -p, -s, -t,
-u, -z
The auditd options that are supported under -cluster
are as follows: -h, -q, -d, -r, -w, -x, -n, -f,
-o, and the following: Each cluster member may
write to the same console file or its own syslogd
file. The default audit log pathname is
/var/audit/auditlog.hostname.nnn. In a cluster,
hostname becomes membername.
If the log file name does not already include it,
each cluster member appends dot (.) followed by the
hostname. This prevents file name collisions in
clusters. Domain names are removed from the host
names. Note that a local auditd must be running in
order to kill other members of a cluster.
Audit Control [Toc] [Back]
Causes the audit subsystem to dump its currently buffered
audit data (from the kernel and the daemon) out to the
configured host or log file. The audit daemon normally
dumps its buffer only when it approaches capacity.
If a frequency (freq) is specified, the audit daemon
dumps its data at the specified frequency. The
freq is specified as n[wdhms] for weeks, days,
hours, minutes, and seconds. For example, to dump
the audit daemon data every 36 hours use the -d
1d12h option.
Specifying 0s (zero seconds) disables the previously
specified frequency. Terminates the audit
daemon (terminating the local daemon turns audit
off). Specifies the ID of the audit daemon to
receive the current options. When the local audit
daemon accepts a connection to receive data from a
remote audit daemon, a dedicated child audit daemon
is spawned off from the local audit daemon to service
that connection. With this scenario, multiple
audit daemons may exist on a single system. Specifying
the ID of the auditd allows for communication
with one of the child audit daemons. The ID for
each daemon can be found by entering the following
at the command line: # /usr/sbin/auditd -w
The previous command line displays the current
options. No IDs are displayed unless at least one
child audit daemon exists. If the -p option is not
specified when running with more than one audit
daemon, the master daemon (accepting audit data for
the local system) handles the request. When the
master daemon is terminated, it terminates all of
its child daemons. Reads a list of directories
into which auditd may switch its audit log file
when an overflow condition is reached. The list is
maintained in /etc/sec/auditd_loc. The maximum size
of the list (/etc/sec/auditd_loc) is 8 Kbytes. The
-r option is used when the overflow action is set
to changeloc (auditd -o changeloc). Shows the current
status of the audit daemons options. Auditlog
pathnames are always appended with a suffix consisting
of a generation number. These generation
numbers range from 000 to 999. (Generation numbers
may be overridden with an explicit generation number
specification on the pathname for the -l
option, for example auditlog.hostname.345). The -x
option causes a change in auditlog to the next
auditlog in the generation number sequence. (If
the current log was auditlog.hostname.345, then -x
would change the log to auditlog.hostname.346).
Whenever an auditlog is closed, it is also compressed
(by /usr/ucb/compress). This option is
used to start the audit daemon server on a system
not configured for audit. The -z option removes any
AF_UNIX sockets left by previous daemons. This situation
can occur when the system shuts down abnormally.
If no AF_UNIX socket is present, the next
invocation of auditd will start the audit daemon.
If an AF_UNIX socket is present, the next invocation
of auditd spawns a client process which communicates
with the system audit daemon. This -z
option should be used only when no audit daemon is
present on the system.
Network [Toc] [Back]
Sets the size of the audit daemons buffer for the audit
data (minimum is 4). Toggles the network server switch.
If on, allows the audit daemon to accept audit data from
other audit daemons whose host names are specified in the
/etc/sec/auditd_clients file. Sets the timeout value used
in establishing initial connections with remote audit daemons.
Instructs the client audit daemon to not require
acknowledgement from the server (machine collecting audit
data) for the reciept of audit data sent over the network.
The -u option is used for compatibility with servers that
are running versions of Tru64 UNIX prior to Version 4.0D.
Overflow Control [Toc] [Back]
Sets the minimum percent free space on the current partition
before an overflow condition is triggered. Sets the
action that auditd takes on an overflow condition. The
following actions are available for the -o option: Change
to the next directory or host machine (auditd on the host
machine determines the path) as specified in the
/etc/sec/auditd_loc file. Suspend auditing. Overwrite
the current audit log file. This action causes the loss of
previously logged audit data. Terminates the audit daemon.
Immediately halts the system by doing a reboot.
The audit daemon, auditd, operates as a server, monitoring
/dev/audit for local audit data, monitoring a known port
for data from remote cooperating audit daemons, and monitoring
an AF_UNIX socket for input from the system administrator.
Local audit data is shared with the /dev/audit device, and
eventually is sent to the auditlog when the buffer nears
capacity or the daemon receives an explicit instruction
from the administrator to flush its buffer.
Local administrative data is read via the socket
/dev/.audit/audS. Input from the system administrator
allows for changing of the daemon's configurable options.
The administrator communicates with the audit daemon by
executing auditd with the desired options. The first
invocation of auditd spawns the daemon; subsequent invocations
detect that an audit daemon already exists and will
communicate with it, passing along directions for the
selected options. The first invocation of the daemon also
turns on auditing for the system (audcntl(2)). When the
daemon is terminated, by the -k option or the SIGTERM signal,
auditing is turned off. It is important not to have
system auditing turned on when there is no audit daemon
running on the system (processes being audited will sleep
on resources under control of the audit system).
Remote audit data is first detected when a client (remote)
audit daemon attempts to communicate with the server
(local) audit daemon. To establish a communications path
between the client and the server daemons, the client's
host name is first checked against a list of hosts allowed
to transmit data to the server. This list is maintained on
the server in /etc/sec/auditd_clients. If the client is
allowed to transfer audit data to the server, a child
audit daemon dedicated to communicating with that client
is spawned.
Any data transferred from the client to the server is
acknowledged (ack'ed) by the server. If the data transfer
fails, the client follows its "overflow" option. For communication
with servers on systems prior to Version 4.0D,
the client must use the -u option, because data acknowledgment
was not used on earlier systems.
The audit daemon can be terminated by using either of the
following commands:
# rcmgr -c delete AIDITMASK_FLAG # rcmgr -c delete AIDITD_FLAG
or
# auditmask [-cluster] -n # auditd [-cluster] -dk
Running auditd in a Cluster [Toc] [Back]
The auditd daemon runs on each member of a cluster and
logs to a common /var/audit directory by default. Audit
log files now include the host name to prevent file name
overlap. The -cluster option can be used to modify each
active member of a cluster. Restrictions are noted in the
-cluster flag's description. When reading a file with the
-cluster opton, make sure the file is visible to each
cluster member.
/etc/sec/auditd_clients
/etc/sec/auditd_loc
/var/audit/auditlog.hostname.nnn
/etc/rc.config.common
Commands: auditconfig(8)
Functions: audcntl(2)
Files: audit(7)
auditd(8)
[ Back ] |
