auditctl is responsible for controlling the status and some basic system parameters of the audit daemon. It controls the amount of auditing performed on the system. Using audit rules, auditctl controls which components of your system are subjected to the audit and to what extent they are audited. Audit rules can be passed to the audit daemon on the auditctl command line as well as by composing a rule set and instructing the audit daemon to process this file. By default, the rcaudit script is configured to check for audit rules under /etc/audit/audit.rules. For more details on audit rules, refer to Section 29.4, Passing Parameters to the Audit System.
The main auditctl commands to control basic audit system parameters are:
auditctl -e to enable or disable audit
auditctl -f to control the failure flag
auditctl -r to control the rate limit for audit messages
auditctl -b to control the backlog limit
auditctl -s to query the current status of the audit daemon
The -e, -f, -r, and -b options can also be specified in the audit.rules file to avoid having to enter them each time the audit daemon is started.
Any time you query the status of the audit daemon with auditctl -s or change the status flag with auditctl -eflag a status messages including information on each of the above-mentioned parameters is output. The following example highlights the typical audit status message.
Example 29-1 Example output of auditctl -s
AUDIT_STATUS: enabled=1 flag=2 pid=3105 rate_limit=0 backlog_limit=8192 lost=0 backlog=0
Table 29-1 Audit Status Flags
|
Flag |
Meaning [Possible Values] |
Command |
|---|---|---|
|
enabled |
Set the enable flag. [0..2] 0=disable, 1=enable, 2=enable and lock down the configuration |
auditctl -e [0|1] |
|
flag |
Set the failure flag. [0..2] 0=silent, 1=printk, 2=panic (immediate halt without syncing pending data to disk) |
auditctl -f [0|1|2] |
|
pid |
Process ID under which auditd is running. |
— |
|
rate_limit |
Set a limit in messages per second. If the rate is not zero and it is exceeded, the action specified in the failure flag is triggered. |
auditctl -r rate |
|
backlog_limit |
Specify the maximum number of outstanding audit buffers allowed. If all buffers are full, the action specified in the failure flag is triggered. |
auditctl -b backlog |
|
lost |
Count the current number of lost audit messages. |
— |
|
backlog |
Count the current number of outstanding audit buffers. |
— |