auditd -- read audit collection files generated by the audit subsystem and compact the records (obsolete)


/tcb/bin/auditd [ -y ] [ -n ]


In previous releases, auditd was the audit subsystem's daemon process. It is no longer supported, but still exists on the system solely for compatibility with legacy commands and applications that expect to be able to create audit records by writing to the message queue created by auditd.

The audit daemon no longer provides audit record collection, compaction, or . These services are provided by the audit subsystem described on the pages listed in the ``See also'' section, below.

The auditd daemon does provide the following application services, for compatibility with legacy commands and applications only. The daemon provides a mechanism whereby applications that are not privileged to open and write audit records to the audit device are able to send the daemon audit records. These are, in turn, written to the audit subsystem. To provide this service, the daemon creates a message queue which only certain applications with specific permission are able to send messages to. When one of the applications wishes to generate an audit record using this mechanism, the record is first constructed and then written to the message queue. The specific message queue is identified in the file /tcb/files/audit/audit_dmninfo. This file contains the audit_dmninfo structure which is defined in the include file <sys/audit.h>. The first field is the process ID of the daemon and the second is the message queue identifier. After the message has been written to the queue by the application, the application will generate a SIGUSR1 to the daemon indicating a message is waiting. The daemon responds by reading the message queue and writing the record to the audit subsystem device.

The auditd daemon must run with P_AUDIT and P_AUDITWR privileges (analogs of the legacy privileges SEC_CONFIG_AUDIT and SEC_WRITE_AUDIT).

Any command line arguments passed to auditd are ignored.

Exit values

Upon successful completion at the termination of auditing by the subsystem, the program exits with a status of 0. Otherwise, a diagnostic message is printed and the program exits with a status of -1.


Permission to use this utility requires the audit authorization in authorize(F).



See also

auditdmp(S), auditlog(ADM), auditmap(ADM), auditoff(ADM), auditoff(ADM), auditrpt(ADM), auditset(ADM)
© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005