 |
Index for
Section 8 |
|
 |
Alphabetical
listing for A |
|
 |
Bottom of
page |
|
auditd(8)
NAME
auditd - Audit daemon
SYNOPSIS
/usr/sbin/auditd [options...]
OPTIONS
Audit Data and Messages
-c pathname
Sets the pathname to which the audit daemon will post any warning or
informational messages (such as "audit log change"). This may be either
syslog, a device or local file. By default, messages are logged by
syslogd to the daemon.log.
-h Outputs a brief help menu.
-l hostname:
Causes the audit daemon to transfer its audit data to the audit daemon
executing on the remote host hostname. If the remote site stops
receiving, the local daemon will store its data locally as specified
with the -o and -r options to auditd.
-l pathname
Causes the audit daemon to output its audit data to the local file
pathname.
-q Queries the audit daemon for the current location of the audit data.
Audit in a Cluster
-cluster
Executes auditd across each active memmber of a cluster. The following
auditd options are not supported when the -cluster option is used:
-l hostname: (-l pathname is supported)
-p, -s, -t, -u, -z
The auditd options that are supported under -cluster are as follows:
-h, -q, -d, -r, -w, -x, -n, -f, -o, and the following:
c Each cluster member may write to the same console file or its own
syslogd file.
l The default audit log pathname is /var/audit/auditlog.hostname.nnn.
In a cluster, hostname becomes membername.
If the log file name does not already include it, each cluster
member appends dot (.) followed by the hostname. This prevents
file name collisions in clusters. Domain names are removed from
the host names.
k Note that a local auditd must be running in order to kill other
members of a cluster.
Audit Control
-d [freq]
Causes the audit subsystem to dump its currently buffered audit data
(from the kernel and the daemon) out to the configured host or log
file. The audit daemon normally dumps its buffer only when it
approaches capacity.
If a frequency (freq) is specified, the audit daemon dumps its data at
the specified frequency. The freq is specified as n[wdhms] for weeks,
days, hours, minutes, and seconds. For example, to dump the audit
daemon data every 36 hours use the -d 1d12h option.
Specifying 0s (zero seconds) disables the previously specified
frequency.
-k Terminates the audit daemon (terminating the local daemon turns audit
off).
-p daemon id
Specifies the ID of the audit daemon to receive the current options.
When the local audit daemon accepts a connection to receive data from a
remote audit daemon, a dedicated child audit daemon is spawned off from
the local audit daemon to service that connection. With this scenario,
multiple audit daemons may exist on a single system. Specifying the ID
of the auditd allows for communication with one of the child audit
daemons. The ID for each daemon can be found by entering the following
at the command line:
# /usr/sbin/auditd -w
The previous command line displays the current options. No IDs are
displayed unless at least one child audit daemon exists. If the -p
option is not specified when running with more than one audit daemon,
the master daemon (accepting audit data for the local system) handles
the request. When the master daemon is terminated, it terminates all
of its child daemons.
-r Reads a list of directories into which auditd may switch its audit log
file when an overflow condition is reached. The list is maintained in
/etc/sec/auditd_loc. The maximum size of the list (/etc/sec/auditd_loc)
is 8 Kbytes. The -r option is used when the overflow action is set to
changeloc (auditd -o changeloc).
-w Shows the current status of the audit daemons options.
-x Auditlog pathnames are always appended with a suffix consisting of a
generation number. These generation numbers range from 000 to 999.
(Generation numbers may be overridden with an explicit generation
number specification on the pathname for the -l option, for example
auditlog.hostname.345). The -x option causes a change in auditlog to
the next auditlog in the generation number sequence. (If the current
log was auditlog.hostname.345, then -x would change the log to
auditlog.hostname.346). Whenever an auditlog is closed, it is also
compressed (by /usr/ucb/compress).
-z This option is used to start the audit daemon server on a system not
configured for audit. The -z option removes any AF_UNIX sockets left by
previous daemons. This situation can occur when the system shuts down
abnormally. If no AF_UNIX socket is present, the next invocation of
auditd will start the audit daemon. If an AF_UNIX socket is present,
the next invocation of auditd spawns a client process which
communicates with the system audit daemon. This -z option should be
used only when no audit daemon is present on the system.
Network
-n kbytes
Sets the size of the audit daemons buffer for the audit data (minimum
is 4).
-s Toggles the network server switch. If on, allows the audit daemon to
accept audit data from other audit daemons whose host names are
specified in the /etc/sec/auditd_clients file.
-t timeout_value
Sets the timeout value used in establishing initial connections with
remote audit daemons.
-u Instructs the client audit daemon to not require acknowledgement from
the server (machine collecting audit data) for the reciept of audit
data sent over the network. The -u option is used for compatibility
with servers that are running versions of Tru64 UNIX prior to Version
4.0D.
Overflow Control
-f percentage
Sets the minimum percent free space on the current partition before an
overflow condition is triggered.
-o action
Sets the action that auditd takes on an overflow condition. The
following actions are available for the -o option:
changeloc
Change to the next directory or host machine (auditd on the
host machine determines the path) as specified in the
/etc/sec/auditd_loc file.
suspend Suspend auditing.
overwrite
Overwrite the current audit log file. This action causes the
loss of previously logged audit data.
kill Terminates the audit daemon.
halt Immediately halts the system by doing a reboot.
DESCRIPTION
The audit daemon, auditd, operates as a server, monitoring /dev/audit for
local audit data, monitoring a known port for data from remote cooperating
audit daemons, and monitoring an AF_UNIX socket for input from the system
administrator.
Local audit data is shared with the /dev/audit device, and eventually is
sent to the auditlog when the buffer nears capacity or the daemon receives
an explicit instruction from the administrator to flush its buffer.
Local administrative data is read via the socket /dev/.audit/audS. Input
from the system administrator allows for changing of the daemon's
configurable options. The administrator communicates with the audit daemon
by executing auditd with the desired options. The first invocation of
auditd spawns the daemon; subsequent invocations detect that an audit
daemon already exists and will communicate with it, passing along
directions for the selected options. The first invocation of the daemon
also turns on auditing for the system (audcntl(2)). When the daemon is
terminated, by the -k option or the SIGTERM signal, auditing is turned off.
It is important not to have system auditing turned on when there is no
audit daemon running on the system (processes being audited will sleep on
resources under control of the audit system).
Remote audit data is first detected when a client (remote) audit daemon
attempts to communicate with the server (local) audit daemon. To establish
a communications path between the client and the server daemons, the
client's host name is first checked against a list of hosts allowed to
transmit data to the server. This list is maintained on the server in
/etc/sec/auditd_clients. If the client is allowed to transfer audit data to
the server, a child audit daemon dedicated to communicating with that
client is spawned.
Any data transferred from the client to the server is acknowledged (ack'ed)
by the server. If the data transfer fails, the client follows its
"overflow" option. For communication with servers on systems prior to
Version 4.0D, the client must use the -u option, because data
acknowledgment was not used on earlier systems.
The audit daemon can be terminated by using either of the following
commands:
# rcmgr -c delete AIDITMASK_FLAG
# rcmgr -c delete AIDITD_FLAG
or
# auditmask [-cluster] -n
# auditd [-cluster] -dk
Running auditd in a Cluster
The auditd daemon runs on each member of a cluster and logs to a common
/var/audit directory by default. Audit log files now include the host name
to prevent file name overlap. The -cluster option can be used to modify
each active member of a cluster. Restrictions are noted in the -cluster
flag's description. When reading a file with the -cluster opton, make sure
the file is visible to each cluster member.
FILES
/etc/sec/auditd_clients
/etc/sec/auditd_loc
/var/audit/auditlog.hostname.nnn
/etc/rc.config.common
SEE ALSO
Commands: auditconfig(8)
Functions: audcntl(2)
Files: audit(7)
|
Index for
Section 8 |
|
|
Alphabetical
listing for A |
|
 |
Top of
page |
|