|AUDITD(8)||System Administration Utilities||AUDITD(8)|
auditd - The Linux Audit daemon
auditd [-f] [-l] [-n] [-s disable|enable|nochange] [-c <config_dir>]
auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities. Configuring the audit system or loading rules is done with the auditctl utility. During startup, the rules in /etc/audit/audit.rules are read by auditctl and loaded into the kernel. Alternately, there is also an augenrules program that reads rules located in /etc/audit/rules.d/ and compiles them into an audit.rules file. The audit daemon itself has some configuration options that the admin may wish to customize. They are found in the auditd.conf file.
/etc/audit/auditd.conf - configuration file for audit daemon
/etc/audit/audit.rules - audit rules to be loaded at startup
/etc/audit/rules.d/ - directory holding individual sets of rules to be compiled into one file by augenrules.
/etc/audit/plugins.d/ - directory holding individual plugin configuration files.
/var/run/auditd.state - report about internal state.
A boot param of audit=1 should be added to ensure that all processes that run before the audit daemon starts is marked as auditable by the kernel. Not doing that will make a few processes impossible to properly audit.
The audit daemon can receive audit events from other audit daemons via the audisp-remote plugin. The audit daemon may be linked with tcp_wrappers to control which machines can connect. If this is the case, you can add an entry to hosts.allow and deny.
auditd.conf(5), auditd-plugins(5), ausearch(8), aureport(8), auditctl(8), augenrules(8), audit.rules(7).
|Sept 2013||Red Hat|