audit – linux man page
audit – subsystem
USAGE
audit
DESCRIPTION
The audit daemon auditd(8) use the device file audit to collect audit
records generated by the kernel and to modify the setting of the audit-
subsystem.
Data can be read by calling read(2) on the device file after register-
ing as audit daemon to the audit-subsystem.
It is typically created by:
mknod -m 600 /dev/audit c 10 224
chown root.root /dev/audit
IOCTL COMMAND
The audit-subsystem recognizes and accepts the following ioctl(2) com-
mands.
AUIOCIAMAUDITD
Register current process as audit daemon.
AUIOCATTACH
Attach current process to audit-subsystem.
AUIOCDETACH
Detach current process from audit-subsystem.
AUIOCSUSPEND
Suspend auditing.
AUIOCRESUME
Resume auditing.
AUIOCCLRPOLICY
Clear policy.
AUIOCCLRFILTER
Clear filter.
AUIOCSETFILTER
Set filter.
AUIOCSETPOLICY
Set policy.
AUIOCSETAUDITID
Set audit-id.
AUIOCLOGIN
Login message, used by services that authenticate users.
AUIOCUSERMESSAGE
User message, used by trusted programs to send log messages to
the audit-subsystem.
PROC FILESYSTEM
The run-time behavior of the kernel-based audit-subsystem can be con-
figured through the files in /proc/sys/dev/audit/. The following files
exist:
allow-suspend
By setting a boolean value (0, 1) the audit-subsystem can be
suspended or not. Default is 1.
attach-all
This file includes a boolean value (0, 1). If set to 1 the
audit-subsystem will attach every process that is started here-
after. Default is 0.
debug Debugging enabled (1) or disabled (0). Default is 0.
max-messages
Max. number of messages to buffer into the kernel. Default is
1024.
paranoia
A numerical value to describe the level of race-condition check.
0 no race-condition checks
1 copy arguments from user-space to kernel buffer
2 prevent other system-calls from entering the kernel
while we are executing a system-call that requires
path-name matching
Default is 1.
FILES
/dev/audit
SEE ALSO
laus(7), audit(8)
AUTHORS
auditd was written by Olaf Kirch
Leave a comment