README.auditd
1Auditd Daemon
2
3The audit daemon is a simplified version of its desktop
4counterpart designed to gather the audit logs from the
5audit kernel subsystem. The audit subsystem of the kernel
6includes Linux Security Modules (LSM) messages as well.
7
8To enable the audit subsystem, you must add this to your
9kernel config:
10CONFIG_AUDIT=y
11
12To enable a LSM, you must consult that LSM's documentation, the
13example below is for SELinux:
14CONFIG_SECURITY_SELINUX=y
15
16This does not include possible dependencies that may need to be
17satisfied for that particular LSM.
18
README.property
1The properties that logd responds to are:
2
3name type default description
4ro.logd.auditd bool true Enable selinux audit daemon
5ro.logd.auditd.dmesg bool true selinux audit messages duplicated and
6 sent on to dmesg log
7persist.logd.security bool false Enable security buffer.
8ro.device_owner bool false Override persist.logd.security to false
9ro.logd.kernel bool+ svelte+ Enable klogd daemon
10ro.logd.statistics bool+ svelte+ Enable logcat -S statistics.
11ro.build.type string if user, logd.statistics &
12 ro.logd.kernel default false.
13persist.logd.logpersistd string Enable logpersist daemon, "logcatd"
14 turns on logcat -f in logd context
15persist.logd.size number ro Global default size of the buffer for
16 all log ids at initial startup, at
17 runtime use: logcat -b all -G <value>
18ro.logd.size number svelte default for persist.logd.size. Larger
19 platform default sizes than 256KB are
20 known to not scale well under log spam
21 pressure. Address the spam first,
22 resist increasing the log buffer.
23persist.logd.size.<buffer> number ro Size of the buffer for <buffer> log
24ro.logd.size.<buffer> number svelte default for persist.logd.size.<buffer>
25ro.config.low_ram bool false if true, logd.statistics, logd.kernel
26 default false, logd.size 64K instead
27 of 256K.
28persist.logd.filter string Pruning filter to optimize content.
29 At runtime use: logcat -P "<string>"
30ro.logd.filter string "~! ~1000/!" default for persist.logd.filter.
31 This default means to prune the
32 oldest entries of chattiest UID, and
33 the chattiest PID of system
34 (1000, or AID_SYSTEM).
35persist.logd.timestamp string ro The recording timestamp source.
36 "m[onotonic]" is the only supported
37 key character, otherwise realtime.
38ro.logd.timestamp string realtime default for persist.logd.timestamp
39log.tag string persist The global logging level, VERBOSE,
40 DEBUG, INFO, WARN, ERROR, ASSERT or
41 SILENT. Only the first character is
42 the key character.
43persist.log.tag string build default for log.tag
44log.tag.<tag> string persist The <tag> specific logging level.
45persist.log.tag.<tag> string build default for log.tag.<tag>
46
47NB:
48- bool+ - "true", "false" and comma separated list of "eng" (forced false if
49 ro.build.type is "user") or "svelte" (forced false if ro.config.low_ram is
50 true).
51- svelte - see ro.config.low_ram for details.
52- svelte+ - see ro.config.low_ram and ro.build.type for details.
53- ro - <base property> temporary override, ro.<base property> platform default.
54- persist - <base property> override, persist.<base property> platform default.
55- build - VERBOSE for native, DEBUG for jvm isLoggable, or developer option.
56- number - support multipliers (K or M) for convenience. Range is limited
57 to between 64K and 256M for log buffer sizes. Individual log buffer ids
58 such as main, system, ... override global default.
59- Pruning filter is of form of a space-separated list of [~][UID][/PID]
60 references, where '~' prefix means to blacklist otherwise whitelist. For
61 blacklisting, UID or PID may be a '!' to instead reference the chattiest
62 client, with the restriction that the PID must be in the UID group 1000
63 (system or AID_SYSTEM).
64