IBM 10 SP1 EAL4 5.15 User-level audit subsystem, 5.15.1 Audit daemon, 5.15.2 Audit utilities

5.15 User-level audit subsystem

The main user-level audit components consist of the auditd daemon, the auditctl control program, the

libaudit library, the auditd.conf configuration file, and the auditd.rules initial setup file.

There is also the /etc/init.d/auditd init script that is used to start and stop auditd. When run, this

script sources another file, /etc/sysconfig/auditd, to set the locale, and to set the

AUDIT_CLEAN_STOP variable, which controls whether to delete the watch points and the filter rules when

auditd stops.

On startup, auditd reads the configuration file to set the various configuration options that pertain to the

daemon. Then, it reads the auditd.rules file to set the initial rules. The auditd.conf man page

describes all the configurable options. The auditctl man page lists all the supported control options.

5.15.1 Audit daemon

The auditd daemon does the following on startup:

1. Registers its pid with the kernel, so the kernel starts sending all audit events to the daemon (to the

netlink).

2. Enables auditing.

3. Opens the netlink socket, and spawns a thread that continuously waits on the condition of audit record

data availability on the netlink. Once the data is available it signals the thread, which writes out the

audit records.

4. Reads the /etc/auditd.conf configuration file, which holds the configuration parameters that

define, among other things, what to do when errors are encountered or when the log files are full.

5. Usually, the /etc/init.d/auditd init script runs auditd, which issues

auditctl –R /etc/audit.rules, if /etc/auditd.rules exists.

6. auditctl can be used at any time, even before auditd is running, to add and build rules

associated with possible actions for system calls and file system operations. It also sets the behavior

of the audit subsystem in the kernel.

7. If audit is enabled, the kernel intercepts the system calls and generates audit records according to the

filter rules. Or, it generates audit records for watches set on particular file system files or directories.

8. Trusted programs can also write audit records for security-relevant operations through the audit

netlink, and not directly to the audit log.

5.15.2 Audit utilities

In addition to the main components, the user level provides the ausearch search utility and the autrace

trace utility. While ausearch finds audit records based on different criteria from the audit log, autrace

audits all syscalls issued by the process being traced. The man pages for these two utilities detail all the

options that can be used. This section only describes how they operate.

The aureport utility provides summary information from audit log files. Use of aureport is restricted

to administrative users. For more information on the aureport utility, see the aureport(8) man page.

aureport typically follows these processing steps:

1. Sets the locale.

211