The audit consists of several components, each contributing to the interception of operating system calls and the recording of relevant events.
You can see these components and their interaction in the following SVG image:
- auditd – this audit daemon is responsible for writing the audit messages that were generated through the audit kernel interface and triggered by application and system activity to disk. The way the audit daemon is started is controlled by systemd. The audit system functions (when started) are controlled by /etc/audit/auditd.conf;
- auditctl -the auditctl utility controls the audit system. It controls the log generation parameters and kernel settings of the audit interface and the rule set that determine which events are tracked;
- audit rules -the file /etc/audit/audit.rules contain a sequence of auditctl commands that are loaded at system boot time immediately after the audit daemon is started;
- aureport – this utility allows you to create custom reports from the audit event log. This report generation can easily be scripted, and the output can be used by various other applications, for example, to plot these results;
- ausearch – the ausearch utility can search the audit log file for certain events using various keys or other characteristics of the logged format;
- audispd – the audit dispatcher daemon can be used to relay event notifications to other applications;
- autrace – the autrace utility traces individual processes in a fashion similar to strace;
- aulast – prints a list of the last logged-in users, similarly to last searches back through the audit logs and displays a list of all users logged in and out based on the range of time in the audit logs;
- aulastlog – prints the login name, port, and last login time for all users of a machine similar to the way lastlog does.