5.15 User-level audit subsystem
The main user-level audit components consist of the auditd daemon, the auditctl control program, the
libaudit library, the auditd.conf configuration file, and the auditd.rules initial setup file.
There is also the /etc/init.d/auditd init script that is used to start and stop auditd. When run, this
script sources another file, /etc/sysconfig/auditd, to set the locale, and to set the
AUDIT_CLEAN_STOP variable, which controls whether to delete the watch points and the filter rules when
auditd stops.
On startup, auditd reads the configuration file to set the various configuration options that pertain to the
daemon. Then, it reads the auditd.rules file to set the initial rules. The auditd.conf man page
describes all the configurable options. The auditctl man page lists all the supported control options.
5.15.1 Audit daemon
The auditd daemon does the following on startup:
1. Registers its pid with the kernel, so the kernel starts sending all audit events to the daemon (to the
netlink).
2. Enables auditing.
3. Opens the netlink socket, and spawns a thread that continuously waits on the condition of audit record
data availability on the netlink. Once the data is available it signals the thread, which writes out the
audit records.
4. Reads the /etc/auditd.conf configuration file, which holds the configuration parameters that
define, among other things, what to do when errors are encountered or when the log files are full.
5. Usually, the /etc/init.d/auditd init script runs auditd, which issues
auditctl –R /etc/audit.rules, if /etc/auditd.rules exists.
6. auditctl can be used at any time, even before auditd is running, to add and build rules
associated with possible actions for system calls and file system operations. It also sets the behavior
of the audit subsystem in the kernel.
7. If audit is enabled, the kernel intercepts the system calls and generates audit records according to the
filter rules. Or, it generates audit records for watches set on particular file system files or directories.
8. Trusted programs can also write audit records for security-relevant operations through the audit
netlink, and not directly to the audit log.
5.15.2 Audit utilities
In addition to the main components, the user level provides the ausearch search utility and the autrace
trace utility. While ausearch finds audit records based on different criteria from the audit log, autrace
audits all syscalls issued by the process being traced. The man pages for these two utilities detail all the
options that can be used. This section only describes how they operate.
5.15.2.1 aureport
The aureport utility provides summary information from audit log files. Use of aureport is restricted
to administrative users. For more information on the aureport utility, see the aureport(8) man page.
aureport typically follows these processing steps:
1. Sets the locale.
211