auditctl is responsible for controlling the status and some basic system
parameters of the audit daemon. It controls the amount of auditing
performed on the system. Using audit rules, auditctl controls which
components of your system are subjected to the audit and to what extent
they are audited. Audit rules can be passed to the audit daemon on the
auditctl command line as well as by composing a rule
set and instructing the audit daemon to process this file. By default,
the rcaudit script is configured to check for audit
rules under /etc/audit/audit.rules
. For more details
on audit rules, refer to Section 29.4, “Passing Parameters to the Audit System”.
The main auditctl commands to control basic audit system parameters are:
auditctl -e
to enable or disable
audit
auditctl -f
to control the failure
flag
auditctl -r
to control the rate
limit for audit messages
auditctl -b
to control the backlog
limit
auditctl -s
to query the current
status of the audit daemon
The -e
, -f
, -r
, and
-b
options can also be specified in the
audit.rules
file to avoid having to enter them each
time the audit daemon is started.
Any time you query the status of the audit daemon with auditctl
-s
or change the status flag with
auditctl
-e
, a status
message (including information on each of the above-mentioned parameters)
is output. The following example highlights the typical audit status
message.
flag
Example 29.1. Example output of auditctl -s
AUDIT_STATUS: enabled=1 flag=2 pid=3105 rate_limit=0 backlog_limit=8192 lost=0 backlog=0
Table 29.1. Audit Status Flags
Flag |
Meaning [Possible Values] |
Command |
---|---|---|
|
Set the enable flag. [0..2] 0=disable, 1=enable, 2=enable and lock down the configuration |
auditctl |
|
Set the failure flag. [0..2] 0=silent, 1=printk, 2=panic (immediate halt without syncing pending data to disk) |
auditctl |
|
Process ID under which auditd is running. |
— |
|
Set a limit in messages per second. If the rate is not zero and is exceeded, the action specified in the failure flag is triggered. |
auditctl |
|
Specify the maximum number of outstanding audit buffers allowed. If all buffers are full, the action specified in the failure flag is triggered. |
auditctl |
|
Count the current number of lost audit messages. |
— |
|
Count the current number of outstanding audit buffers. |
— |