The Geek Diary

Linux OS service ‘auditd’

by

Service Name

auditd

Description

auditd is the userspace component to the Linux Auditing System. It’s responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities. Configuring the audit rules is done with the auditctl utility. During startup, the rules in /etc/audit.rules are read by auditctl. The audit daemon itself has some configuration options that the admin may wish to customize. They are found in the auditd.conf file.

The Linux Auditing System provides kernel-resident logging of system calls and user space tools to collect and view the logs. The auditd daemon writes the logging records to disk. auditd is configurable to allow control over what information is written to the logs.

Why should you keep auditd running?

The information in the log may prove useful in debugging security-related issues. For example, auditd is used to log SELinux events. There are also utilities such as aureport that enable you to view the audit log.

Service Detail

Init.d script location

/etc/init.d/auditd

chkconfig output sample

# chkconfig --list auditd
auditd          0:off   1:off   2:on    3:on    4:on    5:on    6:off

Available service usage options

# service auditd
Usage: /etc/init.d/auditd {start|stop|status|restart|condrestart|reload|rotate}

To start the service :

# service auditd start
Starting auditd:                                           [  OK  ]

To stop the service :

# service auditd stop
Stopping auditd:                                           [  OK  ]

To check the status of the service :

# service auditd status
auditd (pid 8951) is running...

To restart the service :

# service auditd restart
Stopping auditd:                                           [  OK  ]
Starting auditd:                                           [  OK  ]

Conditionally restarting the service :

# service auditd condrestart
Stopping auditd:                                           [  OK  ]
Starting auditd:                                           [  OK  ]

To reload the service :

# service auditd reload
Reloading configuration:                                   [  OK  ]

To rotate the logs :

# service auditd rotate
Rotating logs:                                             [  OK

Which daemons does it run

/sbin/auditd

Which modules does it load

audit-libs
audit-libs-python

Other Information

RPM packages

audit-[version]-[release]
audit-libs-[version]-[release]
audit-libs-python-[version]-[release]

Configuration files

/etc/audit/audit.rules - audit rules to be loaded at startup
/etc/audit/auditd.conf - configuration file for audit daemon
/etc/sysconfig/auditd  - additional configuration file

You May Also Like