Use the auditd_conf InSpec audit resource to test the configuration settings for the audit daemon. This file is typically located under /etc/audit/auditd.conf' on Unix and Linux platforms.


A auditd_conf resource block declares configuration settings that should be tested:

describe auditd_conf('path') do
  its('keyword') { should cmp 'value' }


  • 'keyword' is a configuration setting defined in the auditd.conf configuration file
  • ('path') is the non-default path to the auditd.conf configuration file
  • { should cmp 'value' } is the value that is expected


This matcher will match any property listed in the auditd.conf configuration file. Property names and expected values are case-insensitive:

  • admin_space_left, admin_space_left_action, action_mail_acct, disk_error_action, disk_full_action, flush, freq, log_file, log_format, max_log_file, max_log_file_action, num_logs, space_left, space_left_action

Property Examples

The following examples show how to use this InSpec audit resource.

Test the auditd.conf file

describe auditd_conf do
  its('log_file') { should cmp '/full/path/to/file' }
  its('log_format') { should cmp 'raw' }
  its('flush') { should cmp 'none' }
  its('freq') { should cmp 1 }
  its('num_logs') { should cmp 0 }
  its('max_log_file') { should cmp 6 }
  its('max_log_file_action') { should cmp 'email' }
  its('space_left') { should cmp 2 }
  its('action_mail_acct') { should cmp 'root' }
  its('space_left_action') { should cmp 'email' }
  its('admin_space_left') { should cmp 1 }
  its('admin_space_left_action') { should cmp 'halt' }
  its('disk_full_action') { should cmp 'halt' }
  its('disk_error_action') { should cmp 'halt' }


For a full list of available matchers, please visit our matchers page.


The cmp matcher compares values across types.

its('freq') { should cmp 1 }