auditd Daemon

The following list summarizes the tasks of the auditd daemon:

• Opens and closes audit files in the directories that are specified in the audit_control file. The files are opened in order of mention.

• Loads one or more plugins. Sun provides two plugins. The audit_binfile.so plugin writes binary audit data to a file. The audit_syslog.so plugin delivers selected text summaries of audit records to the syslog log

• Reads audit data from the kernel and outputs the data by using an auditd plugin.

• Executes the audit_warn script to warn of various conditions. The binfile.so plugin executes the audit_warn script. The script, by default, sends warnings to the audit_warn email alias and to the console. The syslog.so plugin does not execute the audit_warn script.

• By default, when all audit directories are full, processes that generate audit records are suspended. In addition, the auditd daemon writes a message to the console and to the audit_warn email alias. At this point, only the system administrator can fix the audit service. The administrator can log in to write audit files to offline media, delete audit files from the system, and do other cleanup tasks.

  The audit policy can be reconfigured with the auditconfig command.

The auditd daemon can be started automatically when the system is booted into multiuser mode. Or, you can start the daemon from the command line. When the auditd daemon is started, it calculates the amount of free space that is necessary for audit files.

The auditd daemon uses the list of audit directories in the audit_control file as possible locations for creating audit files. The daemon maintains a pointer into this list of directories, starting with the first directory. Every time the auditd daemon needs to create an audit file, the daemon puts the file into the first available directory in the list. The list starts at the auditd daemon's current pointer. You can reset the pointer to the beginning of the list by running the audit -s command. The audit -n command instructs the daemon to switch to a new audit file. The new file is created in the same directory as the current file.