Controlling the Audit System Using auditctl

auditctl is responsible for controlling the status and some basic system parameters of the audit daemon. It controls the amount of auditing performed on the system. Using audit rules, auditctl controls which components of your system are subjected to the audit and to what extent they are audited. Audit rules can be passed to the audit daemon on the auditctl command line as well as by composing a rule set and instructing the audit daemon to process this file. By default, the rcaudit script is configured to check for audit rules under /etc/audit/audit.rules. For more details on audit rules, refer to Section 29.4, “Passing Parameters to the Audit System”.

The main auditctl commands to control basic audit system parameters are:

The -e, -f, -r, and -b options can also be specified in the audit.rules file to avoid having to enter them each time the audit daemon is started.

Any time you query the status of the audit daemon with auditctl -s or change the status flag with auditctl -eflag, a status message (including information on each of the above-mentioned parameters) is output. The following example highlights the typical audit status message.

Example 29.1. Example output of auditctl -s

AUDIT_STATUS: enabled=1 flag=2 pid=3105 rate_limit=0 backlog_limit=8192 lost=0 backlog=0

Table 29.1. Audit Status Flags

Flag

Meaning [Possible Values]

Command

enabled

Set the enable flag. [0..2] 0=disable, 1=enable, 2=enable and lock down the configuration

auditctl -e [0|1]

flag

Set the failure flag. [0..2] 0=silent, 1=printk, 2=panic (immediate halt without syncing pending data to disk)

auditctl -f [0|1|2]

pid

Process ID under which auditd is running.

rate_limit

Set a limit in messages per second. If the rate is not zero and is exceeded, the action specified in the failure flag is triggered.

auditctl -r rate

backlog_limit

Specify the maximum number of outstanding audit buffers allowed. If all buffers are full, the action specified in the failure flag is triggered.

auditctl -b backlog

lost

Count the current number of lost audit messages.

backlog

Count the current number of outstanding audit buffers.