Museum

Home

Lab Overview

Retrotechnology Articles

⇒ Online Manual

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

auditr(8)

adt(7)



  auditd(8)                           CLIX                           auditd(8)



  NAME

    auditd - Starts the audit logging and report generation daemon

  SYNOPSIS

    auditd [-rRdvh] [-c file] [-u size] [-i event] [-e event]

  FLAGS

    -h         Invokes help.

    -r         Dumps audit records in raw format.  This is useful if further
               post processing is desired on the audit data.

    -R         Only logs accesses made by remote users.  The default is to log
               all accesses whether made by local or remote users.

    -v         Enables verbose mode.

    -d         Runs the process as a daemon in the background.

    -c file    Specifies a file other than /dev/audit from which to read audit
               records.  This is most useful for ``cooking'' previously
               generated ``raw'' audit records.  This flag will not work with
               the -d flag.

    -u size    Sets the maximum size of any files created by the audit daemon.
               The default is 100,000 disk blocks.  If this size is exceeded,
               no warnings are given and the file is truncated to the size.

    -i event   Includes in the output only the events listed in events.
               Allowable events are open, link, unlink, exec, mount, and
               umount.  This flag cannot be used with the -e flag.

    -e event   Excludes from the output the events listed in events.
               Allowable events are open, link, unlink, exec, mount, and
               umount.  This flag cannot be used with the -i flag.

  DESCRIPTION

    The auditd command starts the audit logging and report generation daemon.
    Invoking auditd with no arguments causes auditing to be initialized on the
    system and sends an audit report to stdout.  The audit records produced
    are English text.  This process can be modified by using the above flags.
    The function of auditd can also be changed by using a configuration file,
    /usr/adm/auditd.rc.  (See the auditd file format for more information.)

  EXAMPLES

    1.  To invoke auditd and produce an output file, enter the following:



  2/94 - Intergraph Corporation                                              1







  auditd(8)                           CLIX                           auditd(8)



        /etc/auditd -d > /usr/adm/adt/adt.log

        This saves the ascii output of the audit daemon to a file.

    2.  To produce audit records in raw data format, enter the following:

        /etc/auditd -r | compress > /dev/rmt/mt6

        This generates a raw version of the audit log and saves it to tape in
        compressed format.

  FILES

    /dev/audit          Audit trail device.

    /usr/adm/auditd.rc  Auditd configuration file.

  DIAGNOSTIC

    If auditd is invoked from any user other than root, the command will fail
    with the message:  Audit device open failed.

    The message ``record read insane'' appears if a ``raw'' audit trail file
    is being converted to ascii and an end-of-file occurs.  It can also appear
    if the read of the file gets out of sync.

  EXIT VALUES

    The auditd command will exit with a value of 1 if there is a problem with
    the command line arguments.  It will exit with a value of 2 if there is a
    problem reading or translating the configuration file.  The auditd command
    will exit with a value of -1 if there is a problem reading /dev/auditd.

  RELATED INFORMATION

    Commands: auditr(8)

    Files: adt(7)
















  2                                              Intergraph Corporation - 2/94

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026