Unix‎ > ‎Solaris‎ > ‎Solaris man pages‎ > ‎1m‎ > ‎


     auditd - audit daemon


     The audit daemon, auditd, controls the generation and  loca-
     tion  of audit trail files and the generation of syslog mes-
     sages based  on  the  definitions  in  audit_control(4).  If
     auditing  is enabled, auditd reads the audit_control(4) file
     to do the following:

         o    reads the path to a  library  module  for  realtime
              conversion of audit data into syslog messages;

         o    reads other parameters  specific  to  the  selected
              plugin or plugins;

         o    obtains a list  of  directories  into  which  audit
              files can be written;

         o    obtains the percentage limit for how much space  to
              reserve  on  each filesystem before changing to the
              next directory.

     audit(1M) is used to control auditd. It can cause auditd to:

         o    close the current audit file and open a new one;

         o    close   the    current    audit    file,    re-read
              /etc/security/audit_control  and  open  a new audit

         o    close the audit trail and terminate auditing.

  Auditing Conditions
     The audit daemon invokes the  program  audit_warn(1M)  under
     the following conditions with the indicated options:

     audit_warn soft pathname

         The file system upon which pathname resides has exceeded
         the    minimum    free    space    limit    defined   in
         audit_control(4).  A new audit trail has been opened  on
         another file system.

     audit_warn allsoft

         All available file systems have been filled  beyond  the
         minimum  free  space  limit.  A new audit trail has been
         opened anyway.

     audit_warn hard pathname

         The file system upon which pathname resides  has  filled
         or for some reason become unavailable. A new audit trail
         has been opened on another file system.

     audit_warn allhard count

         All available file systems have been filled or for  some
         reason  become unavailable. The audit daemon will repeat
         this call to audit_warn at intervals of at least  twenty
         seconds  until  space  becomes  available.  count is the
         number of times that audit_warn has  been  called  since
         the problem arose.

     audit_warn ebusy

         There is already an audit daemon running.

     audit_warn tmpfile

         The file /etc/security/audit/audit_tmp exists,  indicat-
         ing a fatal error.

     audit_warn nostart

         The internal  system  audit  condition  is  AUC_FCHDONE.
         Auditing cannot be started without rebooting the system.

     audit_warn auditoff

         The internal system audit condition has been changed  to
         not be AUC_AUDITING by someone other than the audit dae-
         mon. This causes the audit daemon to exit.

     audit_warn postsigterm

         An error occurred during the  orderly  shutdown  of  the
         auditing system.

     audit_warn getacdir

         There is a  problem  getting  the  directory  list  from

         The audit daemon will hang in a sleep  loop  until  this
         file is fixed.



     See attributes(5) for descriptions of the  following  attri-

    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    | Availability                | SUNWcsu                     |
    | Interface Stability         | Evolving                    |

     audit(1M), audit_warn(1M), bsmconv(1M),  praudit(1M),  audi-
     ton(2),    auditsvc(2),    audit.log(4),   audit_control(4),
     audit_data(4), attributes(5)

     See the section on Solaris Auditing in System Administration
     Guide: Security Services.

     The functionality described in this man  page  is  available
     only  if  the Solaris Auditing feature has been enabled. See
     bsmconv(1M) for more information.

     auditd is loaded in the global zone at boot time if auditing
     is enabled. See bsmconv(1M).

     If the audit policy perzone is  set,  auditd  runs  in  each
     zone, starting automatically when the local zone boots. If a
     zone is running when the perzone  policy  is  set,  auditing
     must be started manually in local zones. It is not necessary
     to reboot the system or the local zone to start auditing  in
     a  local  zone.  auditd can be started with "/usr/sbin/audit
     -s" and will start automatically with future  boots  of  the

     When auditd runs in a local zone, the configuration is taken
     from  the  local  zone's  /etc/security  directory's  files:
     audit_control, audit_class, audit_user,  audit_startup,  and

     Configuration changes do not affect audit sessions that  are
     currently  running, as the changes do not modify a process's
     preselection mask. To change the preselection mask on a run-
     ning  process,  use  the -setpmask option of the auditconfig
     command (see auditconfig(1M)). If the user logs out and logs
     back  in, the new configuration changes will be reflected in
     the next audit session.

Man pages from Solaris 10 Update 8. See docs.sun.com and www.oracle.com for further documentation and Solaris information.