How the Audit Trail Is Created

The audit trail is created by the audit daemon, auditd(1M). The audit daemon starts on each workstation when the workstation is booted. After auditd starts, it is responsible for collecting the audit trail data and writing the audit records into audit files, which are also called audit log files. See the audit.log(4) man page for a description of the file format.

Figure 3-1 How Auditing Works

The audit daemon runs as root. All files it creates are owned by root. Even when auditd has no classes to audit, auditd continuously operates, looking for a place to put audit records. The auditd operations continue even if the rest of the workstation's activities are suspended because the kernel's audit buffers are full. The audit operations can continue because auditd is not audited.

Previous: Chapter 2 Auditing Setup
Next: Audit Record Format