Option | description | Possible values |
Sets max number of outstanding Default is 64 buffer allowed. If all buffers are exhausted, the failure flag is
checked.
Sets enabled flag | 01 |
Sets failure flag | silent, printk, panic |
Sets the rate of messages/second. If 0 no rate is set. If > 0 and rate exceeded, the failure flag is checked.
Table
5.6.2.2Operation
The audit framework operation consists of the following steps:
On kernel startup, if audit support was compiled into the kernel, the following are initialized:
1.The netlink socket is created.
2.Four lists that hold the filter rules in the kernel are initialized.
3.The audit_initialized flag is set to true.
4.The audit_enabled flag is set according to audit_default or to the boot parameter audit. No syscall or file system auditing takes place without audit_enabled being set to true. The audit_enabled flag can also be set from the command line using auditctl
5.The file system auditing is initialized by creating the watch lists and the hash table for the file system auditing.
auditd does the following on startup:
1.Registers its pid with the kernel, so that the kernel starts sending all audit events to the daemon (to the netlink).
2.Enables auditing.
3.Opens the netlink socket, and spawns a thread that continuously waits on the condition of audit record data availability on the netlink. Once the data is available, it signals the thread that writes out the audit records.
4.Reads the /etc/auditd.conf configuration file, which holds the configuration parameters that define, among other things, what to do when errors are encountered, or when the log files are full.
5.Usually, auditd is run by the /etc/init.d/auditd initialization script, which issues auditctl
6.The auditctl command can be used at any time, even before auditd is running, to add and build rules associated with possible actions for system calls and file system operations, as well as setting the behavior of the audit subsystem in the kernel.
139
