README.auditd
1Auditd Daemon
2
3The audit daemon is a simplified version of its desktop
4counterpart designed to gather the audit logs from the
5audit kernel subsystem. The audit subsystem of the kernel
6includes Linux Security Modules (LSM) messages as well.
7
8To enable the audit subsystem, you must add this to your
9kernel config:
10CONFIG_AUDIT=y
11
12To enable a LSM, you must consult that LSM's documentation, the
13example below is for SELinux:
14CONFIG_SECURITY_SELINUX=y
15
16This does not include possible dependencies that may need to be
17satisfied for that particular LSM.
18
README.property
1The properties that logd and friends react to are:
2
3name type default description
4ro.logd.auditd bool true Enable selinux audit daemon
5ro.logd.auditd.dmesg bool true selinux audit messages duplicated and
6 sent on to dmesg log
7persist.logd.security bool false Enable security buffer.
8ro.device_owner bool false Override persist.logd.security to false
9ro.logd.kernel bool+ svelte+ Enable klogd daemon
10ro.logd.statistics bool+ svelte+ Enable logcat -S statistics.
11ro.build.type string if user, logd.statistics &
12 ro.logd.kernel default false.
13logd.logpersistd.enable bool auto Safe to start logpersist daemon service
14logd.logpersistd string persist Enable logpersist daemon, "logcatd"
15 turns on logcat -f in logd context.
16 Responds to logcatd, clear and stop.
17logd.logpersistd.buffer persist logpersistd buffers to collect
18logd.logpersistd.size persist logpersistd size in MB
19persist.logd.logpersistd string Enable logpersist daemon, "logcatd"
20 turns on logcat -f in logd context.
21persist.logd.logpersistd.buffer all logpersistd buffers to collect
22persist.logd.logpersistd.size 256 logpersistd size in MB
23persist.logd.size number ro Global default size of the buffer for
24 all log ids at initial startup, at
25 runtime use: logcat -b all -G <value>
26ro.logd.size number svelte default for persist.logd.size. Larger
27 platform default sizes than 256KB are
28 known to not scale well under log spam
29 pressure. Address the spam first,
30 resist increasing the log buffer.
31persist.logd.size.<buffer> number ro Size of the buffer for <buffer> log
32ro.logd.size.<buffer> number svelte default for persist.logd.size.<buffer>
33ro.config.low_ram bool false if true, logd.statistics, logd.kernel
34 default false, logd.size 64K instead
35 of 256K.
36persist.logd.filter string Pruning filter to optimize content.
37 At runtime use: logcat -P "<string>"
38ro.logd.filter string "~! ~1000/!" default for persist.logd.filter.
39 This default means to prune the
40 oldest entries of chattiest UID, and
41 the chattiest PID of system
42 (1000, or AID_SYSTEM).
43persist.logd.timestamp string ro The recording timestamp source.
44 "m[onotonic]" is the only supported
45 key character, otherwise realtime.
46ro.logd.timestamp string realtime default for persist.logd.timestamp
47log.tag string persist The global logging level, VERBOSE,
48 DEBUG, INFO, WARN, ERROR, ASSERT or
49 SILENT. Only the first character is
50 the key character.
51persist.log.tag string build default for log.tag
52log.tag.<tag> string persist The <tag> specific logging level.
53persist.log.tag.<tag> string build default for log.tag.<tag>
54
55NB:
56- auto - managed by /init
57- bool+ - "true", "false" and comma separated list of "eng" (forced false if
58 ro.build.type is "user") or "svelte" (forced false if ro.config.low_ram is
59 true).
60- svelte - see ro.config.low_ram for details.
61- svelte+ - see ro.config.low_ram and ro.build.type for details.
62- ro - <base property> temporary override, ro.<base property> platform default.
63- persist - <base property> override, persist.<base property> platform default.
64- build - VERBOSE for native, DEBUG for jvm isLoggable, or developer option.
65- number - support multipliers (K or M) for convenience. Range is limited
66 to between 64K and 256M for log buffer sizes. Individual log buffer ids
67 such as main, system, ... override global default.
68- Pruning filter is of form of a space-separated list of [~][UID][/PID]
69 references, where '~' prefix means to blacklist otherwise whitelist. For
70 blacklisting, UID or PID may be a '!' to instead reference the chattiest
71 client, with the restriction that the PID must be in the UID group 1000
72 (system or AID_SYSTEM).
73