Option description Possible values
-b
Sets max number of outstanding
buffer allowed. If all buffers are
exhausted, the failure flag is
checked.
Default is 64
-e
Sets enabled flag 0|1
-f
Sets failure flag silent, printk, panic
-r
Sets the rate of messages/second.
If 0 no rate is set. If > 0 and rate
exceeded, the failure flag is
checked.
Table 5-3: audictl control arguments
5.6.2.2 Operation
The audit framework operation consists of the following steps:
On kernel startup, if audit support was compiled into the kernel, the following are initialized:
1. The netlink socket is created.
2. Four lists that hold the filter rules in the kernel are initialized.
3. The audit_initialized flag is set to true.
4. The audit_enabled flag is set according to audit_default or to the boot parameter audit.
No syscall or file system auditing takes place without audit_enabled being set to true. The
audit_enabled flag can also be set from the command line using auditctl –e 1.
5. The file system auditing is initialized by creating the watch lists and the hash table for the file system
auditing.
auditd does the following on startup:
1. Registers its pid with the kernel, so that the kernel starts sending all audit events to the daemon (to
the netlink).
2. Enables auditing.
3. Opens the netlink socket, and spawns a thread that continuously waits on the condition of audit record
data availability on the netlink. Once the data is available, it signals the thread that writes out the
audit records.
4. Reads the /etc/auditd.conf configuration file, which holds the configuration parameters that
define, among other things, what to do when errors are encountered, or when the log files are full.
5. Usually, auditd is run by the /etc/init.d/auditd initialization script, which issues
auditctl –R /etc/audit.rules, if the file /etc/auditd.rules exists.
6. The auditctl command can be used at any time, even before auditd is running, to add and build
rules associated with possible actions for system calls and file system operations, as well as setting
the behavior of the audit subsystem in the kernel.
139