audit_set_pid - Linux


audit_set_pid is a Linux security command that allows privileged users to control the process identifier (PID) that is used for the audit logging process. This enables the isolation of audit logging activities and enhances system security.


audit_set_pid [options] <pid>


  • -c, –checkpoint: Creates a checkpoint in the audit log to indicate the change in audit logging PID.
  • -w, –wait: Waits for the next checkpoint to be written to the audit log before exiting.
  • -d, –disable: Disables audit logging.
  • -e, –enable: Enables audit logging.
  • -h, –help: Displays the help message.
  • -V, –version: Displays the version information.


Example 1: Setting the Audit Logging PID

sudo audit_set_pid 1234

Example 2: Disabling Audit Logging

sudo audit_set_pid -d

Example 3: Enabling Audit Logging

sudo audit_set_pid -e

Common Issues

  • Permission Denied: Only privileged users (e.g., root) can use audit_set_pid.
  • Invalid PID: The specified PID must be a valid, non-zero positive integer.
  • PID Not Found: If the specified PID is not running, audit_set_pid will fail.


audit_set_pid can be used in conjunction with other Linux security tools, such as:

  • auditctl: To configure audit rules and policies.
  • ausearch: To search and analyze audit logs.

Related Commands