README.auditd
1Auditd Daemon
2
3The audit daemon is a simplified version of its desktop
4counterpart designed to gather the audit logs from the
5audit kernel subsystem. The audit subsystem of the kernel
6includes Linux Security Modules (LSM) messages as well.
7
8To enable the audit subsystem, you must add this to your
9kernel config:
10CONFIG_AUDIT=y
11
12To enable a LSM, you must consult that LSM's documentation, the
13example below is for SELinux:
14CONFIG_SECURITY_SELINUX=y
15
16This does not include possible dependencies that may need to be
17satisfied for that particular LSM.
18
README.property
1The properties that logd and friends react to are:
2
3name type default description
4ro.logd.auditd bool true Enable selinux audit daemon
5ro.logd.auditd.dmesg bool true selinux audit messages sent to dmesg.
6ro.logd.auditd.main bool true selinux audit messages sent to main.
7ro.logd.auditd.events bool true selinux audit messages sent to events.
8persist.logd.security bool false Enable security buffer.
9ro.device_owner bool false Override persist.logd.security to false
10ro.logd.kernel bool+ svelte+ Enable klogd daemon
11ro.logd.statistics bool+ svelte+ Enable logcat -S statistics.
12ro.debuggable number if not "1", logd.statistics &
13 ro.logd.kernel default false.
14logd.logpersistd.enable bool auto Safe to start logpersist daemon service
15logd.logpersistd string persist Enable logpersist daemon, "logcatd"
16 turns on logcat -f in logd context.
17 Responds to logcatd, clear and stop.
18logd.logpersistd.buffer persist logpersistd buffers to collect
19logd.logpersistd.size persist logpersistd size in MB
20persist.logd.logpersistd string Enable logpersist daemon, "logcatd"
21 turns on logcat -f in logd context.
22persist.logd.logpersistd.buffer all logpersistd buffers to collect
23persist.logd.logpersistd.size 256 logpersistd size in MB
24persist.logd.size number ro Global default size of the buffer for
25 all log ids at initial startup, at
26 runtime use: logcat -b all -G <value>
27ro.logd.size number svelte default for persist.logd.size. Larger
28 platform default sizes than 256KB are
29 known to not scale well under log spam
30 pressure. Address the spam first,
31 resist increasing the log buffer.
32persist.logd.size.<buffer> number ro Size of the buffer for <buffer> log
33ro.logd.size.<buffer> number svelte default for persist.logd.size.<buffer>
34ro.config.low_ram bool false if true, logd.statistics, logd.kernel
35 default false, logd.size 64K instead
36 of 256K.
37persist.logd.filter string Pruning filter to optimize content.
38 At runtime use: logcat -P "<string>"
39ro.logd.filter string "~! ~1000/!" default for persist.logd.filter.
40 This default means to prune the
41 oldest entries of chattiest UID, and
42 the chattiest PID of system
43 (1000, or AID_SYSTEM).
44persist.logd.timestamp string ro The recording timestamp source.
45 "m[onotonic]" is the only supported
46 key character, otherwise realtime.
47ro.logd.timestamp string realtime default for persist.logd.timestamp
48log.tag string persist The global logging level, VERBOSE,
49 DEBUG, INFO, WARN, ERROR, ASSERT or
50 SILENT. Only the first character is
51 the key character.
52persist.log.tag string build default for log.tag
53log.tag.<tag> string persist The <tag> specific logging level.
54persist.log.tag.<tag> string build default for log.tag.<tag>
55
56NB:
57- auto - managed by /init
58- bool+ - "true", "false" and comma separated list of "eng" (forced false if
59 ro.debuggable is not "1") or "svelte" (forced false if ro.config.low_ram is
60 true).
61- svelte - see ro.config.low_ram for details.
62- svelte+ - see ro.config.low_ram and ro.debuggable for details.
63- ro - <base property> temporary override, ro.<base property> platform default.
64- persist - <base property> override, persist.<base property> platform default.
65- build - VERBOSE for native, DEBUG for jvm isLoggable, or developer option.
66- number - support multipliers (K or M) for convenience. Range is limited
67 to between 64K and 256M for log buffer sizes. Individual log buffer ids
68 such as main, system, ... override global default.
69- Pruning filter is of form of a space-separated list of [~][UID][/PID]
70 references, where '~' prefix means to blacklist otherwise whitelist. For
71 blacklisting, UID or PID may be a '!' to instead reference the chattiest
72 client, with the restriction that the PID must be in the UID group 1000
73 (system or AID_SYSTEM).
74