Audit Startup

Auditing is enabled by starting up the audit daemon, (see the auditd(1M) man page). This can be done manually be executing /usr/sbin/auditd as root.

The existence of a file with the path name /etc/security/audit_startup causes the audit daemon to be run automatically when the system enters multiuser mode. The file is actually an executable script that is invoked as part of the startup sequence just prior to the execution of the audit daemon (see the audit_startup(1M) man page). A default audit_startup script that automatically configures the event to class mappings and sets the audit policies is set up during the BSM package installation.

Previous: More on Auditing
Next: Audit Classes and Events