15 user-level audit subsystem, 1 audit daemon, 2 audit utilities – IBM Novell 10 SP1 EAL4 User Manual

5.15 User-level audit subsystem

The main user-level audit components consist of the auditd daemon, the auditctl control program, the
libaudit library, the auditd.conf configuration file, and the auditd.rules initial setup file.

There is also the /etc/init.d/auditd init script that is used to start and stop auditd. When run, this

script sources another file, /etc/sysconfig/auditd, to set the locale, and to set the
AUDIT_CLEAN_STOP variable, which controls whether to delete the watch points and the filter rules when
auditd stops.
On startup, auditd reads the configuration file to set the various configuration options that pertain to the

daemon. Then, it reads the auditd.rules file to set the initial rules. The auditd.conf man page

describes all the configurable options. The auditctl man page lists all the supported control options.

5.15.1 Audit daemon

The auditd daemon does the following on startup:

1. Registers its pid with the kernel, so the kernel starts sending all audit events to the daemon (to the

netlink).

2. Enables auditing.
3. Opens the netlink socket, and spawns a thread that continuously waits on the condition of audit record

data availability on the netlink. Once the data is available it signals the thread, which writes out the
audit records.

4. Reads the /etc/auditd.conf configuration file, which holds the configuration parameters that

define, among other things, what to do when errors are encountered or when the log files are full.

5. Usually, the /etc/init.d/auditd init script runs auditd, which issues

auditctl –R /etc/audit.rules, if /etc/auditd.rules exists.

6. auditctl can be used at any time, even before auditd is running, to add and build rules

associated with possible actions for system calls and file system operations. It also sets the behavior
of the audit subsystem in the kernel.

7. If audit is enabled, the kernel intercepts the system calls and generates audit records according to the

filter rules. Or, it generates audit records for watches set on particular file system files or directories.

8. Trusted programs can also write audit records for security-relevant operations through the audit

netlink, and not directly to the audit log.

5.15.2 Audit utilities

In addition to the main components, the user level provides the ausearch search utility and the autrace

trace utility. While ausearch finds audit records based on different criteria from the audit log, autrace

audits all syscalls issued by the process being traced. The man pages for these two utilities detail all the
options that can be used. This section only describes how they operate.

5.15.2.1 aureport

The aureport utility provides summary information from audit log files. Use of aureport is restricted

to administrative users. For more information on the aureport utility, see the aureport(8) man page.

aureport typically follows these processing steps:

1. Sets the locale.

211