Audit

This article is a stub. Please help out by expanding it - how to get started.

Resources

The Linux Audit System is designed to make Linux compliant with the requirements from Common Criteria, PCI-DSS, and other security standards by intercepting system calls and serializing audit log entries from privileged user space applications. The framework allows the configured events to be recorded to disk and distributed to plugins in realtime. Each audit event contains the date and time of event, type of event, subject identity, object acted upon, and result (success/fail) of the action if applicable.

Installation

USE flags

USE flags for sys-process/audit Userspace utilities for storing and processing auditing records

`gssapi`	Enable GSSAPI support
`io-uring`	Enable the use of io_uring for efficient asynchronous IO and system requests
`ldap`	Add LDAP support (Lightweight Directory Access Protocol)
`python`	Add optional support/bindings for the Python language
`split-usr`	Enable behavior to support maintaining /bin, /lib, /sbin and /usr/sbin separately from /usr/bin and /usr/lib
`static-libs`	Build static versions of dynamic libraries as well
`test`	Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently)

Data provided by the Gentoo Package Database · Last update: 2025-01-03 09:48 More information about USE flags

Emerge

root #emerge --ask sys-process/audit

Usage

Daemon

To start the daemon for OpenRC systems, run:

root #rc-service auditd start

root #rc-update add auditd default

For systemd systems:

root #systemctl enable --now auditd