Справочник Пользователя для IBM 10 SP1 EAL4
Option
description
Possible values
-b
Sets max number of outstanding
buffer allowed. If all buffers are
exhausted, the failure flag is
checked.
buffer allowed. If all buffers are
exhausted, the failure flag is
checked.
Default is 64
-e
Sets enabled flag
0|1
-f
Sets failure flag
silent, printk, panic
-r
Sets the rate of messages/second.
If 0 no rate is set. If > 0 and rate
exceeded, the failure flag is
checked.
If 0 no rate is set. If > 0 and rate
exceeded, the failure flag is
checked.
Table 5-3: audictl control arguments
5.6.2.2 Operation
The audit framework operation consists of the following steps:
On kernel startup, if audit support was compiled into the kernel, the following are initialized:
On kernel startup, if audit support was compiled into the kernel, the following are initialized:
1. The netlink socket is created.
2. Four lists that hold the filter rules in the kernel are initialized.
3. The audit_initialized flag is set to true.
4. The audit_enabled flag is set according to audit_default or to the boot parameter audit.
2. Four lists that hold the filter rules in the kernel are initialized.
3. The audit_initialized flag is set to true.
4. The audit_enabled flag is set according to audit_default or to the boot parameter audit.
No syscall or file system auditing takes place without audit_enabled being set to true. The
audit_enabled flag can also be set from the command line using auditctl –e 1.
audit_enabled flag can also be set from the command line using auditctl –e 1.
5. The file system auditing is initialized by creating the watch lists and the hash table for the file system
auditing.
auditd does the following on startup:
1. Registers its pid with the kernel, so that the kernel starts sending all audit events to the daemon (to
the netlink).
2. Enables auditing.
3. Opens the netlink socket, and spawns a thread that continuously waits on the condition of audit record
3. Opens the netlink socket, and spawns a thread that continuously waits on the condition of audit record
data availability on the netlink. Once the data is available, it signals the thread that writes out the
audit records.
audit records.
4. Reads the /etc/auditd.conf configuration file, which holds the configuration parameters that
define, among other things, what to do when errors are encountered, or when the log files are full.
5. Usually, auditd is run by the /etc/init.d/auditd initialization script, which issues
auditctl –R /etc/audit.rules, if the file /etc/auditd.rules exists.
6. The auditctl command can be used at any time, even before auditd is running, to add and build
rules associated with possible actions for system calls and file system operations, as well as setting
the behavior of the audit subsystem in the kernel.
the behavior of the audit subsystem in the kernel.
139