LinuxCommandLibrary

auditd

Audit system events for security tracking

TLDR

Start the daemon

$ auditd
copy

Start the daemon in debug mode
$ auditd -d
copy

Start the daemon on-demand from launchd
$ auditd -l
copy

SYNOPSIS

auditd [-f] [-n] [-s] [-d] [-l logfile] [-g group] [-c concurrency] [-q qsize]

PARAMETERS

-f, --foreground
    Run daemon in foreground; do not daemonize or disconnect from terminal

-n, --no-fork
    Prevent daemonizing (implied by -f)

-s, --status
    Print current audit system status and exit

-d, --dump-config
    Dump current configuration to stdout and exit

-l, --log-file PATH
    Log to specified file instead of default /var/log/audit/audit.log

-g, --groupname GROUP
    Run under specified supplementary group

-c, --concurrency NUM
    Set dispatcher concurrency (default based on CPU count)

-q, --qsize NUM
    Set max queue size for audit events (default 8192)

-e, --emulation TYPE
    Set emulation mode (e.g., 'native')

-t, --task-type TYPE
    Set task type for execution

DESCRIPTION

auditd is the userspace daemon component of the Linux Auditing System. It collects audit records from the Linux kernel's audit subsystem, which monitors system calls, file accesses, network events, and other security-relevant activities.

Auditd writes these events to log files (typically /var/log/audit/audit.log), handles log rotation, manages disk space, and dispatches events to plugins for analysis or alerting.

Configuration is managed via /etc/audit/auditd.conf for daemon settings (e.g., log file paths, buffer sizes) and /etc/audit/rules.d/ for audit rules defining what to watch. Rules use auditctl to load into the kernel.

The daemon starts automatically via systemd (service: auditd.service) on most distributions. It runs as root, requires kernel audit support (CONFIG_AUDIT), and can impact performance on high-activity systems due to logging overhead. Essential for compliance (e.g., PCI-DSS, SELinux integration) and forensic analysis.

CAVEATS

Requires root privileges and kernel audit support (CONFIG_AUDIT=y). High logging can degrade performance. Logs grow quickly; configure rotation/disk limits. Incompatible with some containers without privileges.

CONFIGURATION FILES

Main: /etc/audit/auditd.conf (e.g., log_file, max_log_file). Rules: /etc/audit/rules.d/*.rules loaded by augenrules.

SERVICE MANAGEMENT

Use systemctl start|stop|status auditd. Check kernel with auditctl -s.

HISTORY

Developed as part of Linux Audit Framework (2004-2005) by IBM, Red Hat, and NSA for SELinux. Initial release ~2005; integrated into mainline kernel 2.6.18+. Evolved with systemd integration (~2010s) and modern plugins.

SEE ALSO

auditctl(8), ausearch(8), aureport(8), audispd(8), systemctl(1)

Copied to clipboard