auditctl is responsible for controlling the status and some basic system parameters of the audit daemon. It controls the amount of auditing performed on the system. Using audit rules, auditctl controls which components of your system are subjected to the audit and to what extent they are audited. Audit rules can be passed to the audit daemon on the auditctl command line as well as by composing a rule set and instructing the audit daemon to process this file. By default, the rcaudit script is configured to check for audit rules under /etc/audit.rules. For more details on audit rules, refer to Section 1.4, Passing Parameters to the Audit System.
The main auditctl commands to control basic audit system parameters are:
auditctl -e to enable or disable audit
auditctl -f to control the failure flag
auditctl -r to control the rate limit for audit messages
auditctl -b to control the backlog limit
auditctl -s to query the current status of the audit daemon
The -e, -f, -r, and -b options can also be specified in the audit.rules file to avoid having to enter them each time the audit daemon is started.
Audit status messages include information on each of the above-mentioned parameters. The following example highlights the typical audit status message. This message is output to the terminal any time you query the status of the audit daemon with auditctl -s or change the status flag with auditctl -e flag.
Example 1-1 Querying the audit Status
AUDIT_STATUS: enabled=1 flag=2 pid=3105 rate_limit=0 backlog_limit=8192 lost=0 backlog=0
Table 1-1 Audit Status Flags
|
Flag |
Meaning [Possible Values] |
Command |
|---|---|---|
|
enabled |
Set the enable flag. [0|1] |
auditctl -e [0|1] |
|
flag |
Set the failure flag. [0..2] 0=silent, 1=printk, 2=panic (immediate halt without syncing pending data to disk) |
auditctl -f [0|1|2] |
|
pid |
Process ID under which auditd is running. |
— |
|
rate_limit |
Set a limit in messages per second. If the rate is not zero and it is exceeded, the action specified in the failure flag is triggered. |
auditctl -r rate |
|
backlog_limit |
Specify the maximum number of outstanding audit buffers allowed. If all buffers are full, the action specified in the failure flag is triggered. |
auditctl -b backlog |
|
lost |
Count the current number of lost audit messages. |
— |
|
backlog |
Count the current number of outstanding audit buffers. |
— |