Provided by: auditd_2.3.2-2ubuntu1_amd64 bug


       auditd - The Linux Audit daemon


       auditd [-f] [-l] [-n] [-s disable|enable|nochange]


       auditd  is  the  userspace  component  to  the Linux Auditing System. It's responsible for
       writing audit records to the disk. Viewing the logs is done with the ausearch or  aureport
       utilities.  Configuring the audit rules is done with the auditctl utility. During startup,
       the rules in /etc/audit/audit.rules are read by auditctl and loaded into the  kernel.  The
       audit  daemon  itself has some configuration options that the admin may wish to customize.
       They are found in the auditd.conf file.


       -f     leave the audit daemon in the foreground for debugging. Messages also go to  stderr
              rather than the audit log.

       -l     allow the audit daemon to follow symlinks for config files.

       -n     no fork. This is useful for running off of inittab or systemd.

              specify  when  starting  if  auditd  should change the current value for the kernel
              enabled flag. Valid values for ENABLE_STATE are "disable", "enable" or  "nochange".
              The  default  is  to  enable (and disable when auditd terminates). The value of the
              enabled flag may be changed during the lifetime of auditd using 'auditctl -e'.


       SIGHUP causes auditd to reconfigure. This means that  auditd  re-reads  the  configuration
              file.  If  there  are  no syntax errors, it will proceed to implement the requested
              changes. If the reconfigure is successful, a DAEMON_CONFIG event is recorded in the
              logs.  If  not  successful,  error  handling  is  controlled  by space_left_action,
              admin_space_left_action,  disk_full_action,  and  disk_error_action  parameters  in

              caused auditd to discontinue processing audit events, write a shutdown audit event,
              and exit.

              causes  auditd  to   immediately   rotate   the   logs.   It   will   consult   the
              max_log_size_action to see if it should keep the logs or not.

              causes  auditd  to  attempt to resume logging. This is usually needed after logging
              has been suspended.


       /etc/audit/auditd.conf - configuration file for audit daemon

       /etc/audit/audit.rules - audit rules to be loaded at startup


       A boot param of audit=1 should be added to ensure that all processes that run  before  the
       audit  daemon  starts is marked as auditable by the kernel. Not doing that will make a few
       processes impossible to properly audit.

       The audit daemon can receive audit events from other audit daemons via  the  audisp-remote
       audispd plugin. The audit daemon may be linked with tcp_wrappers to control which machines
       can connect. If this is the case, you can add an entry to hosts.allow and deny.


       auditd.conf(5), audispd(8), ausearch(8), aureport(8), auditctl(8), audit.rules(7).


       Steve Grubb