When a filesystem object the audit subsystem is watching changes, the inotify subsystem calls the
audit_handle_event() function. audit_handle_event() in turn updates the audit subsystem's watch data for the watched entity. This process is detailed in Section 5.6.3.1.3.
5.6.1.3User space audit components
The main user level audit components consist of a daemon (auditd), a control program (auditctl), a library (libaudit), a configuration file (auditd.conf), and an initial setup file (auditd.rules). There is also an init script that is used to start and stop auditd, /etc/init.d/auditd. When run, this script sources another file, /etc/sysconfig/auditd, to set the locale, and to set the variable AUDIT_CLEAN_STOP, which controls whether to delete the watch points and the filter rules when auditd stops.
On startup, auditd reads the configuration file to set the various configuration options that pertain to the daemon. Then, the auditd reads the auditd.rules to set the initial rules. The auditd.conf man page describes all the configurable options, and the auditctl man page lists all the supported control options.
136