audfilterd.1m (2010 09)
a
audfilterd(1M) audfilterd(1M)
NAME
audfilterd - daemon to monitor mounted file system table changes and handle requests to load or display
rule-based audit filtering policy
SYNOPSIS
/usr/sbin/audfilterd -k
/usr/sbin/audfilterd -s
[-t wakeup_period]
/usr/sbin/audfilterd -t
wakeup_period
/usr/sbin/audfilterd -x
DESCRIPTION
Upon starting up the audfilterd daemon (see the description of the
-s option below), the daemon is
ready to handle user requests to configure rule-based audit filtering policy, display the content of the pol-
icy, display daemon status, or stop the daemon (see audfilter (1M)). The
audfilter command issues
these requests to the
audfilterd daemon via a Unix domain socket. The daemon determines whether
it can satisfy the request and returns the appropriate results to the requesting process.
If the request is to configure rule-based audit filtering policy, the daemon will read the
/etc/audit/filter.conf
file and load the rules to the kernel. With the rules loaded to the kernel,
the policy becomes effective and the auditing system is then capable of filtering out audit records based on
the policy.
In order to disable this feature, use
audfilter -z to clear the rules loaded in the kernel. It is optional
whether to stop the daemon itself.
While the daemon is running, it periodically monitors the mountable file system table change. Upon
detection of a change, the daemon will reapply the rules that were last loaded into the kernel (that is, the
last loaded contents of the
/etc/audit/filter.conf
file will be reevaluated according to the newly
mounted file systems).
In addition, the daemon also wakes up to reload the rules, whenever mounting a file system happens suc-
cessfully.
All daemon messages are logged to the
syslogd daemon facility.
This command is restricted to privileged users.
OPTIONS
audfilterd recognizes the following options:
-k Kill the current running daemon. This request causes the running daemon to exit gracefully.
A success or failure status will be reported for the request. An equivalent way to kill the dae-
mon is to run /sbin/init.d/audfilterd stop
. This also has the side-effect of stopping
the filter functionality (that is, this is equivalent to running
audfilter -z).
-s Start the daemon. During startup, the daemon tries to load the rules that were last success-
fully loaded to the kernel (that is, the content of the
/var/spool/audfilterd/filter.conf.cache
file). If no rules were loaded on this
system before, then the daemon starts up with no rules in effect. Because of this reason, it is
recommended to use the
/sbin/init.d/audfilterd script to start the daemon.
/sbin/init.d/audfilterd start not only starts the daemon but also configures a pol-
icy (that is, loads the rules as specified in the /etc/audit/filter.conf
file) to the ker-
nel.
-t wakeup_period
Specify how often the daemon should wake up itself in case there is no external request to
wake it up. When the daemon wakes up, it tries to detect any changes in the mounted file sys-
tem table. If any changes are detected, the daemon will update the audit filtering rules
currently loaded in the kernel. By default, the wakeup_period is 2 (minutes).
-x Display status of the daemon.
RETURN VALUE
The
audfilterd command returns 0 for success and non-zero for errors.
HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1