|
|
The audit daemon no longer provides audit record collection, compaction, or . These services are provided by the audit subsystem described on the pages listed in the ``See also'' section, below.
The auditd daemon does provide the following application services, for compatibility with legacy commands and applications only. The daemon provides a mechanism whereby applications that are not privileged to open and write audit records to the audit device are able to send the daemon audit records. These are, in turn, written to the audit subsystem. To provide this service, the daemon creates a message queue which only certain applications with specific permission are able to send messages to. When one of the applications wishes to generate an audit record using this mechanism, the record is first constructed and then written to the message queue. The specific message queue is identified in the file /tcb/files/audit/audit_dmninfo. This file contains the audit_dmninfo structure which is defined in the include file <sys/audit.h>. The first field is the process ID of the daemon and the second is the message queue identifier. After the message has been written to the queue by the application, the application will generate a SIGUSR1 to the daemon indicating a message is waiting. The daemon responds by reading the message queue and writing the record to the audit subsystem device.
The auditd daemon must run with P_AUDIT and P_AUDITWR privileges (analogs of the legacy privileges SEC_CONFIG_AUDIT and SEC_WRITE_AUDIT).
Any command line arguments passed to auditd are ignored.