auditd

Start the daemon

$ auditd

$ auditd -d

$ auditd -l

auditd [-f|--foreground] [-l|--loglevel level] [-n|--nostart] [-s|--signal signal] [-v|--version] [-h|--help]

-f, --foreground
    Starts the daemon in the foreground, rather than detaching and running in the background. Useful for debugging or when running under a process supervisor.

-l, --loglevel level
    Sets the logging level for auditd. Valid levels typically include EMERG, ALERT, CRIT, ERR, WARNING, NOTICE, INFO, and DEBUG. Higher levels produce more verbose output.

-n, --nostart
    Performs syntax checks on configuration files but does not start the daemon. Useful for validating configurations before a full restart.

-s, --signal signal
    Sends a specified signal to a running auditd daemon. Common signals include reload (for reloading configuration), rotate (for forcing log rotation), resume (for resuming logging), and suspend (for pausing logging).

-v, --version
    Displays the version information of the auditd daemon and exits.

-h, --help
    Displays a brief help message explaining command-line options and exits.

auditd is the user-space daemon component of the Linux Audit system. Its primary role is to collect audit events generated by the Linux kernel's audit subsystem and write them to disk in log files. These events can include system calls, file access attempts (read, write, execute), network connections, user logins/logouts, changes to configuration files, and other security-relevant activities.

The daemon receives events from the kernel in real-time, processes them, and then writes them to a designated log file, typically /var/log/audit/audit.log. It is crucial for maintaining a comprehensive audit trail, which is essential for security monitoring, forensic analysis, compliance with regulatory standards (e.g., PCI DSS, HIPAA, SOX), and identifying potential security breaches or policy violations.

auditd works in conjunction with other tools like auditctl (to define audit rules for the kernel), and ausearch and aureport (to query and report on the collected log data). It is highly configurable via /etc/audit/auditd.conf, allowing administrators to define logging levels, log file rotation, and other operational parameters.

Performance Impact: Extensive audit rules or high system activity can lead to noticeable performance overhead due to increased I/O and processing.

Configuration Complexity: Effective use requires careful configuration of audit rules via auditctl, which can be complex to master. Misconfigured rules can lead to excessive logging or missed critical events.

Log Management: Audit logs can grow very large rapidly. Proper log rotation (configured in auditd.conf or via logrotate) and archiving strategies are essential to prevent disk exhaustion.

Kernel Dependency: auditd relies on the Linux kernel's audit subsystem. If the kernel audit module is not loaded or properly configured, auditd will not function correctly.

Single Instance: Only one instance of auditd should run at a time to prevent conflicts and ensure consistent logging.

The primary configuration file for auditd is /etc/audit/auditd.conf. This file controls the daemon's operational parameters, such as the log file location, log format, log rotation policy, disk space warnings, and action to take upon disk full or kernel queue overflow. Audit rules, which dictate what events the kernel should monitor, are typically defined in /etc/audit/rules.d/audit.rules (or directly via auditctl). These rules are loaded by auditctl, usually at boot time, to configure the kernel's audit subsystem.

By default, auditd writes audit events to /var/log/audit/audit.log. The log files are structured in a standardized format, with each event containing a unique event ID, timestamp, and various fields describing the audited activity (e.g., user, process, syscall, file path, success/failure). Proper management of these logs, including regular rotation, archiving, and offloading to a centralized log management system, is critical for security and compliance.

auditd operates by communicating with the Linux kernel's audit subsystem. The kernel, based on rules loaded by auditctl, generates audit events for monitored activities. These events are then sent to a kernel buffer, from which auditd reads them. This design ensures that even if auditd crashes or is stopped, the kernel continues to buffer events (up to its configurable limit), minimizing data loss. Once auditd resumes, it retrieves buffered events and writes them to disk.

auditd is a core component of the Linux Audit Project, which began with the goal of providing a comprehensive, CAPP (Controlled Access Protection Profile) compliant auditing system for the Linux operating system. Its development was driven by the need for robust security event logging, especially in environments requiring strict regulatory compliance (e.g., Common Criteria).

The project aimed to integrate deep kernel-level auditing capabilities with user-space tools for configuration, collection, analysis, and reporting. auditd serves as the central collection point in this architecture, evolving over the years to handle increasing system complexity and security demands. It has been a standard part of most major Linux distributions for many years, continuously refined to improve performance, reliability, and ease of use in enterprise and high-security contexts.

auditctl(8), ausearch(8), aureport(8), audispd(8), audit.rules(7), auditd.conf(5), logrotate(8)