The audit package contains the user space utilities for storing and searching the audit records generated by
the audit subsystem in the Linux 2.6 and later kernels.
the audit subsystem in the Linux 2.6 and later kernels.
3.0




2.8.5



2.8.4

2.8.3

2.8.1



2.3.6

Distribution | Version | Since | Package | Installed | Packager | |
---|---|---|---|---|---|---|
![]() | xz | 2.8.5-6 | 2019-11-14 | 339 kiB | 982 kiB | Evangelos Foutras |
![]() | rpm | 2.8.5-4.el7 | 2020-01-07 | 256 kiB | 645 kiB | CentOS BuildSystem |
![]() | rpm | 2.8.3-3.fc28 | 2019-01-14 | 258 kiB | 663 kiB | Fedora Project |
![]() | rpm | 2.8.3-3.fc28 | 2019-01-14 | 258 kiB | 663 kiB | Fedora Project |
![]() | rpm | 2.8.3-3.fc28 | 2019-01-14 | 258 kiB | 663 kiB | Fedora Project |
![]() | rpm | 3.0-0.4.20180831git0047a6c.fc29 | 2019-01-14 | 225 kiB | 670 kiB | Fedora Project |
![]() | rpm | 3.0-0.4.20180831git0047a6c.fc29 | 2019-01-14 | 225 kiB | 670 kiB | Fedora Project |
![]() | rpm | 3.0-0.4.20180831git0047a6c.fc29 | 2019-01-14 | 225 kiB | 670 kiB | Fedora Project |
![]() | rpm | 3.0-0.2.20180808git77fbcf3.fc29 | 2019-01-14 | 224 kiB | 669 kiB | Fedora Project |
![]() | rpm | 3.0-0.2.20180808git77fbcf3.fc29 | 2019-01-14 | 224 kiB | 669 kiB | Fedora Project |
![]() | rpm | 3.0-0.2.20180808git77fbcf3.fc29 | 2019-01-14 | 224 kiB | 669 kiB | Fedora Project |
![]() | rpm | 3.0-0.7.20190326git03e7489.fc30 | 2019-06-17 | 228 kiB | 776 kiB | Fedora Project |
![]() | rpm | 3.0-0.7.20190326git03e7489.fc30 | 2019-06-17 | 228 kiB | 776 kiB | Fedora Project |
![]() | rpm | 3.0-0.7.20190326git03e7489.fc30 | 2019-06-17 | 228 kiB | 776 kiB | Fedora Project |
![]() | rpm | 3.0-0.6.20181218gitbdb72c0.fc30 | 2019-06-17 | 227 kiB | 781 kiB | Fedora Project |
![]() | rpm | 3.0-0.6.20181218gitbdb72c0.fc30 | 2019-06-17 | 227 kiB | 781 kiB | Fedora Project |
![]() | rpm | 3.0-0.12.20190507gitf58ec40.fc31 | 2020-01-07 | 250 kiB | 681 kiB | Fedora Project |
![]() | rpm | 3.0-0.12.20190507gitf58ec40.fc31 | 2020-01-07 | 250 kiB | 681 kiB | Fedora Project |
![]() | rpm | 3.0-0.19.20191104git1c2f876.fc33 | 2020-03-13 | 252 kiB | 678 kiB | Fedora Project |
![]() | rpm | 3.0-0.19.20191104git1c2f876.fc33 | 2020-03-13 | 252 kiB | 678 kiB | Fedora Project |
![]() | rpm | 3.0-0.12.20190507gitf58ec40.fc31 | 2019-08-03 | 250 kiB | 681 kiB | Fedora Project |
![]() | xz | 2.8.4-3 | 2019-02-19 | 336 kiB | 1.03 MiB | Jelle van der Waa |
![]() | xz | 2.8.4-3 | 2019-02-12 | 336 kiB | 1.03 MiB | Jelle van der Waa |
![]() | xz | 2.8.4-3 | 2019-02-07 | 336 kiB | 1.03 MiB | Jelle van der Waa |
![]() | rpm | 2.8.1-lp150.3.2 | 2019-01-17 | 227 kiB | 619 kiB | https://bugs.opensuse.org |
![]() | rpm | 2.8.1-lp151.4.4 | 2019-01-23 | 226 kiB | 619 kiB | https://bugs.opensuse.org |
![]() | rpm | 2.8.1-lp152.5.4 | 2020-03-19 | 224 kiB | 619 kiB | https://bugs.opensuse.org |
![]() | rpm | 2.3.6-6.1 | 2019-01-17 | 201 kiB | 586 kiB | http://bugs.opensuse.org |
![]() | rpm | 2.3.6-8.1 | 2019-01-21 | 201 kiB | 587 kiB | http://bugs.opensuse.org |
![]() | rpm | 2.8.5-1.2 | 2020-03-11 | 247 kiB | 727 kiB | https://bugs.opensuse.org |
Manual pages
audit_add_rule_data(3)
audit_add_rule_data - Add new audit rule
audit_add_watch(3)
audit_add_watch - create a rule layout for a watch
audit_delete_rule_data(3)
audit_delete_rule_data - Delete audit rule
audit_detect_machine(3)
audit_detect_machine - Detects the current machine type
audit_encode_nv_string(3)
audit_encode_nv_string - encode a name/value pair in a string
audit_getloginuid(3)
audit_getloginuid - Get a program’s loginuid value
audit_get_reply(3)
audit_get_reply - Get the audit system’s reply
audit_get_session(3)
audit_get_session - Get a program’s login session id value
audit_log_acct_message(3)
audit_log_acct_message - log a user account message
audit_log_semanage_message(3)
audit_log_semanage_message - log a semanage message
audit_log_user_avc_message(3)
audit_log_user_avc_message - log a user avc message
audit_log_user_command(3)
audit_log_user_command - log a user command
audit_log_user_comm_message(3)
audit_log_user_comm_message - log a user message from a console app
audit_log_user_message(3)
audit_log_user_message - log a general user message
audit_open(3)
audit_open - Open a audit netlink socket connection
audit_request_rules_list_data(3)
audit_request_rules_list_data - Request list of current audit rules
audit_request_signal_info(3)
audit_request_signal_info - Request signal info for the audit system
audit_request_status(3)
audit_request_status - Request status of the audit system
audit_setloginuid(3)
audit_setloginuid - Set a program’s loginuid value
audit_set_backlog_limit(3)
audit_set_backlog_limit - Set the audit backlog limit
audit_set_backlog_wait_time(3)
audit_set_backlog_wait_time - Set the audit backlog wait time
audit_set_enabled(3)
audit_set_enabled - Enable or disable auditing
audit_set_failure(3)
audit_set_failure - Set audit failure flag
audit_set_pid(3)
audit_set_pid - Set audit daemon process ID
audit_set_rate_limit(3)
audit_set_rate_limit - Set audit rate limit
audit_update_watch_perms(3)
audit_update_watch_perms - update permissions field of watch command
auparse_add_callback(3)
auparse_add_callback - add a callback handler for notifications
auparse_destroy(3)
auparse_destroy - release instance of parser
auparse_feed(3)
auparse_feed - feed data into parser
auparse_feed_age_events(3)
auparse_feed_age_events - check events for complete based on time.
auparse_feed_has_data(3)
auparse_feed_has_data - check if there is any data accumulating that might need flushing.
auparse_find_field(3)
auparse_find_field - search for field name
auparse_find_field_next(3)
auparse_find_field_next - find next occurrence of field name
auparse_first_field(3)
auparse_first_field - reposition field cursor
auparse_first_record(3)
auparse_first_record - reposition record cursor
auparse_flush_feed(3)
auparse_flush_feed - flush any unconsumed feed data through parser.
auparse_get_field_int(3)
auparse_get_field_int - get current field’s value as an int
auparse_get_field_name(3)
auparse_get_field_name - get current field’s name
auparse_get_field_num(3)
auparse_get_field_num - get current field cursor location
auparse_get_field_str(3)
auparse_get_field_str - get current field’s value
auparse_get_field_type(3)
auparse_get_field_type - get current field’s data type
auparse_get_filename(3)
auparse_get_filename - get the filename where record was found
auparse_get_line_number(3)
auparse_get_line_number - get line number where record was found
auparse_get_milli(3)
auparse_get_milli - get the millisecond value of the event
auparse_get_node(3)
auparse_get_node - get the event’s machine node name
auparse_get_num_fields(3)
auparse_get_num_fields - get the number of fields
auparse_get_num_records(3)
auparse_get_num_records - get the number of records
auparse_get_record_num(3)
auparse_get_record_num - get current record cursor location
auparse_get_record_text(3)
auparse_get_record_text - access unparsed record data
auparse_get_serial(3)
auparse_get_serial - get the event’s serial number
auparse_get_time(3)
auparse_get_time - get event’s time
auparse_get_timestamp(3)
auparse_get_timestamp - access timestamp of the event
auparse_get_type(3)
auparse_get_type - get record’s type
auparse_get_type_name(3)
auparse_get_type_name - get record’s type translation
auparse_goto_field_num(3)
auparse_goto_field_num - move field cursor to specific field
auparse_goto_record_num(3)
auparse_goto_record_num - move record cursor to specific record
auparse_init(3)
auparse_init - initialize an instance of the audit parsing library
auparse_interpret_field(3)
auparse_interpret_field, auparse_interpret_realpath,auparse_interpret_sock_family,auparse_interpret_sock_port,auparse_interpret_sock_address - get current field’s interpreted value
auparse_next_event(3)
auparse_next_event - get the next event
auparse_next_field(3)
auparse_next_field - move field cursor
auparse_next_record(3)
auparse_next_record - move record cursor
auparse_node_compare(3)
auparse_node_compare - compares node name values
auparse_normalize(3)
auparse_normalize - normalize the current event
auparse_reset(3)
auparse_reset - reset audit parser instance
auparse_set_escape_mode(3)
auparse_set_escape_mode - choose escape method
auparse_timestamp_compare(3)
auparse_timestamp_compare - compares timestamp values
ausearch_add_expression(3)
ausearch_add_expression - build up search expression
ausearch_add_interpreted_item(3)
ausearch_add_interpreted_item - build up search rule
ausearch_add_item(3)
ausearch_add_item - build up search rule
ausearch_add_regex(3)
ausearch_add_regex - use regular expression search rule
ausearch_add_timestamp_item(3)
ausearch_add_timestamp_item - build up search rule
ausearch_add_timestamp_item_ex(3)
ausearch_add_timestamp_item_ex - build up search rule
ausearch_clear(3)
ausearch_clear - clear search parameters
ausearch_next_event(3)
ausearch_next_event - find the next event that meets search criteria
ausearch_set_stop(3)
ausearch_set_stop - set the cursor position
get_auditfail_action(3)
get_auditfail_action - Get failure_action tunable value
set_aumessage_mode(3)
set_message_mode - Sets the message mode
audisp-remote.conf(5)
audisp-remote.conf - the audisp-remote configuration file
audispd.conf(5)
audispd.conf - the audit event dispatcher configuration file
auditd-plugins(5)
audit-plugins - realtime event receivers
auditd.conf(5)
auditd.conf - audit daemon configuration file
ausearch-expression(5)
ausearch-expression - audit search expression format
libaudit.conf(5)
libaudit.conf - libaudit configuration file
zos-remote.conf(5)
zos-remote.conf - the audisp-racf plugin configuration file
audit.rules(7)
audit.rules - a set of rules loaded in the kernel audit system
audisp-remote(8)
audisp-remote - plugin for remote logging
audispd(8)
audispd - an event multiplexor
audispd-zos-remote(8)
audispd-zos-remote - z/OS Remote-services Audit dispatcher plugin
auditctl(8)
auditctl - a utility to assist controlling the kernel’s audit system
auditd(8)
auditd - The Linux Audit daemon
augenrules(8)
augenrules - a script that merges component audit rule files
aulast(8)
aulast - a program similar to last
aulastlog(8)
aulastlog - a program similar to lastlog
aureport(8)
aureport - a tool that produces summary reports of audit daemon logs
ausearch(8)
ausearch - a tool to query audit daemon logs
ausyscall(8)
ausyscall - a program that allows mapping syscall names and numbers
autrace(8)
autrace - a program similar to strace
auvirt(8)
auvirt - a program that shows data related to virtual machines
Latest updates

OpenSUSE Leap 15.2 oss: Updated from 2.8.1-lp152.5.3 to 2.8.1-lp152.5.4
2020-03-19
- Change openldap dependency to client only (bsc#1085003)

Fedora rawhide development/Server-os: Updated from 3.0-0.18.20191104git1c2f876.fc32 to 3.0-0.19.20191104git1c2f876.fc33
2020-03-13
- Add Obsolete python2-audit (#1783061)

Fedora rawhide development/Everything-os: Updated from 3.0-0.18.20191104git1c2f876.fc32 to 3.0-0.19.20191104git1c2f876.fc33
2020-03-13
- Add Obsolete python2-audit (#1783061)

OpenSUSE Tumbleweed oss: Updated from 2.8.5-1.1 to 2.8.5-1.2
2020-03-11
- Update to version 2.6.5:
- Fix segfault on shutdown
- Fix hang on startup (#1587995)
- Add sleep to script to dump state so file is ready when needed
- Add auparse_normalizer support for SOFTWARE_UPDATE event
- Mark netlabel events as simple events so that get processed quicker
- When audispd is reconfiguring, only SIGHUP plugins with valid pid (#1614833)
- Add 30-ospp-v42.rules to meet new Common Criteria requirements
- Update lookup tables for the 4.18 kernel
- In aureport, fix segfault in file report
- Add auparse_normalizer support for labeled networking events
- Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194)
- Event aging is off by a second
- In ausearch/auparse, correct event ordering to process oldest first
- auparse_reset was not clearing everything it should
- Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events
- In ausearch/report, lightly parse selinux portion of USER_AVC events
- In ausearch/report, limit record size when malformed
- In auditd, fix extract_type function for network originating events
- In auditd, calculate right size and location for network originating events
- Treat all network originating events as VER2 so dispatcher doesn't format it
- In audisp-remote do an initial connection attempt (#1625156)
- In auditd, allow expression of space left as a percentage (#1650670)
- On PPC64LE systems, only allow 64 bit rules (#1462178)
- Make some parts of auditd state report optional based on config
- Fix ausearch when checkpointing a single file (Burn Alting)
- Fix scripting in 31-privileged.rules wrt filecap (#1662516)
- In ausearch, do not checkpt if stdin is input source
- In libev, remove __cold__ attribute for functions to allow proper hardening
- Add tests to configure.ac for openldap support
- Make systemd support files use /run rather than /var/run (Christian Hesse)
- Fix minor memory leak in auditd kerberos credentials code
- Fix auditd regression where keep_logs is limited by rotate_logs 2 file test
- In ausearch/report fix --end to use midnight time instead of now (#1671338)
- Fix build errors when using gcc-10 no-common default (bsc#1160384) New patch: audit-fno-common.patch
- Refresh audit-allow-manual-stop.patch

Fedora rawhide development/Everything-os: Updated from 3.0-0.16.20191104git1c2f876.fc32 to 3.0-0.18.20191104git1c2f876.fc32
2020-01-31
- Fix multiple definition of `event_node_list' (#1794446)

Fedora rawhide development/Server-os: Updated from 3.0-0.16.20191104git1c2f876.fc32 to 3.0-0.18.20191104git1c2f876.fc32
2020-01-31
- Fix multiple definition of `event_node_list' (#1794446)

OpenSUSE Tumbleweed oss: Updated from 2.8.4-2.3 to 2.8.5-1.1
2020-01-25
- Update to version 2.6.5:
- Fix segfault on shutdown
- Fix hang on startup (#1587995)
- Add sleep to script to dump state so file is ready when needed
- Add auparse_normalizer support for SOFTWARE_UPDATE event
- Mark netlabel events as simple events so that get processed quicker
- When audispd is reconfiguring, only SIGHUP plugins with valid pid (#1614833)
- Add 30-ospp-v42.rules to meet new Common Criteria requirements
- Update lookup tables for the 4.18 kernel
- In aureport, fix segfault in file report
- Add auparse_normalizer support for labeled networking events
- Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194)
- Event aging is off by a second
- In ausearch/auparse, correct event ordering to process oldest first
- auparse_reset was not clearing everything it should
- Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events
- In ausearch/report, lightly parse selinux portion of USER_AVC events
- In ausearch/report, limit record size when malformed
- In auditd, fix extract_type function for network originating events
- In auditd, calculate right size and location for network originating events
- Treat all network originating events as VER2 so dispatcher doesn't format it
- In audisp-remote do an initial connection attempt (#1625156)
- In auditd, allow expression of space left as a percentage (#1650670)
- On PPC64LE systems, only allow 64 bit rules (#1462178)
- Make some parts of auditd state report optional based on config
- Fix ausearch when checkpointing a single file (Burn Alting)
- Fix scripting in 31-privileged.rules wrt filecap (#1662516)
- In ausearch, do not checkpt if stdin is input source
- In libev, remove __cold__ attribute for functions to allow proper hardening
- Add tests to configure.ac for openldap support
- Make systemd support files use /run rather than /var/run (Christian Hesse)
- Fix minor memory leak in auditd kerberos credentials code
- Fix auditd regression where keep_logs is limited by rotate_logs 2 file test
- In ausearch/report fix --end to use midnight time instead of now (#1671338)
- Fix build errors when using gcc-10 no-common default (bsc#1160384) New patch: audit-fno-common.patch
- Refresh audit-allow-manual-stop.patch

OpenSUSE Tumbleweed oss: Updated from 2.8.4-2.2 to 2.8.4-2.3
2020-01-24
- Reduce scriptlets' hard dependency on systemd.

Fedora 31 releases/Server-os: Version 3.0-0.12.20190507gitf58ec40.fc31 introduced
2020-01-07
- Fix 1734953 - audit: FTBFS in Fedora rawhide/f31

Fedora 31 releases/Everything-os: Version 3.0-0.12.20190507gitf58ec40.fc31 introduced
2020-01-07
- Fix 1734953 - audit: FTBFS in Fedora rawhide/f31

OpenSUSE Leap 15.2 oss: Version 2.8.1-lp152.5.3 introduced
2020-01-07
- Change openldap dependency to client only (bsc#1085003)

CentOS 7.7.1908 os: Version 2.8.5-4.el7 introduced
2020-01-07
resolves: #1696709 - updating auditd is enabling disabled service

Fedora rawhide development/Server-os: Updated from 3.0-0.15.20191104git1c2f876.fc32 to 3.0-0.16.20191104git1c2f876.fc32
2019-11-26
- Drop python2 subpackage (#1775076)

Fedora rawhide development/Everything-os: Updated from 3.0-0.15.20191104git1c2f876.fc32 to 3.0-0.16.20191104git1c2f876.fc32
2019-11-26
- Drop python2 subpackage (#1775076)

Arch rolling testing/os: Version 2.8.5-6 removed
2019-11-14

Arch rolling core/os: Updated from 2.8.5-3 to 2.8.5-6
2019-11-14

Arch rolling staging/os: Version 2.8.5-7 removed
2019-11-14

Arch rolling staging/os: Version 2.8.5-7 introduced
2019-11-13

Arch rolling testing/os: Version 2.8.5-6 introduced
2019-11-10

Arch rolling staging/os: Version 2.8.5-6 removed
2019-11-10
Related packages
audit-audispd-plugins - Default plugins for the audit dispatcher
audit-audispd-plugins-debuginfo - Debug information for package audit-audispd-plugins
audit-debuginfo - Debug information for package audit
audit-debugsource - Debug sources for package audit
audit-devel - Header files for libaudit
audit-devel-32bit - Header files for libaudit
audit-libs - Dynamic library for libaudit
audit-libs-debuginfo - Debug information for package audit-libs
audit-libs-devel - Header files for libaudit
audit-libs-python - Python bindings for libaudit
audit-libs-python-debuginfo - Debug information for package audit-libs-python
audit-libs-static - Static version of libaudit library
audit-secondary-debugsource - Debug sources for package audit-secondary
audit-viewer - Audit event viewer
audit-viewer-debuginfo - Debug information for package audit-viewer
audit-viewer-debugsource - Debug sources for package audit-viewer
audit-visualize - Visualization tools for the audit subsystem