утилита для помощи в управлении системой аудита ядра (a utility to assist controlling the kernel's audit system)
STATUS OPTIONS
-l List all rules 1 per line. Two more options may be given
to this command. You can give either a key option (-k) to
list rules that match a key or a (-i) to have a0 through
a3 interpreted to help determine the syscall argument
values are correct .
-m text
Send a user space message into the audit system. This can
only be done if you have CAP_AUDIT_WRITE capability
(normally the root user has this). The resulting event
will be the USER type.
-s Report the kernel's audit subsystem status. It will tell
you the in-kernel values that can be set by -e, -f, -r,
and -b options. The pid value is the process number of the
audit daemon. Note that a pid of 0 indicates that the
audit daemon is not running. The lost entry will tell you
how many event records that have been discarded due to the
kernel audit queue overflowing. The backlog field tells
how many event records are currently queued waiting for
auditd to read them. This option can be followed by the -i
to get a couple fields interpreted.
-v Print the version of auditctl.
