Novell Doc: Security Guide - Introducing the Components of Linux Audit

29.1 Introducing the Components of Linux Audit

The following figure illustrates how the various components of audit interact with each other:

Figure 29-1 Introducing the Components of Linux Audit

Straight arrows represent the data flow between components while dashed arrows represent lines of control between components.

auditd: The audit daemon is responsible for writing the audit messages to disk that were generated through the audit kernel interface and triggered by application and system activity. How the audit daemon is started is controlled by its configuration file, /etc/sysconfig/auditd. How the audit system functions once it is started is controlled by /etc/audit/auditd.conf. For more information about auditd and its configuration, refer to Section 29.2, Configuring the Audit Daemon.
auditctl: The auditctl utility controls the audit system. It controls the log generation parameters and kernel settings of the audit interface as well as the rule sets that determine which events are tracked. For more information about auditctl, refer to Section 29.3, Controlling the Audit System Using auditctl.
audit rules: The file /etc/audit/audit.rules contains a sequence of auditctl commands that are loaded at system boot time immediately after the audit daemon is started. For more information about audit rules, refer to Section 29.4, Passing Parameters to the Audit System.
aureport: The aureport utility allows you to create custom reports from the audit event log. This report generation can easily be scripted and the output can be used by various other applications, for example, to plot these results. For more information about aureport, refer to Section 29.5, Understanding the Audit Logs and Generating Reports.
ausearch: The ausearch utility can search the audit log file for certain events using various keys or other characteristics of the logged format. For more information about ausearch, refer to Section 29.6, Querying the Audit Daemon Logs with ausearch.
audispd: The audit dispatcher daemon (audispd) can be used to relay event notifications to other applications instead of or in addition to writing them to disk in the audit log.
autrace: The autrace utility traces individual processes in a fashion similar to strace. The output of autrace is logged to the audit log. For more information about autrace, refer to Section 29.7, Analyzing Processes with autrace.