| auditd.8 (185573) | auditd.8 (186647) |
|---|---|
| 1.\" Copyright (c) 2004 Apple Inc. 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 8.\" 1. Redistributions of source code must retain the above copyright --- 11 unchanged lines hidden (view full) --- 20.\" DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 21.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 22.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 23.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 24.\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27.\" | 1.\" Copyright (c) 2004 Apple Inc. 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 8.\" 1. Redistributions of source code must retain the above copyright --- 11 unchanged lines hidden (view full) --- 20.\" DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 21.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 22.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 23.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 24.\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27.\" |
| 28.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#14 $ | 28.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#16 $ |
| 29.\" | 29.\" |
| 30.Dd October 2, 2006 | 30.Dd December 11, 2008 |
| 31.Dt AUDITD 8 32.Os 33.Sh NAME 34.Nm auditd 35.Nd audit log management daemon 36.Sh SYNOPSIS 37.Nm | 31.Dt AUDITD 8 32.Os 33.Sh NAME 34.Nm auditd 35.Nd audit log management daemon 36.Sh SYNOPSIS 37.Nm |
| 38.Op Fl d | 38.Op Fl d | l |
| 39.Sh DESCRIPTION 40The 41.Nm 42daemon responds to requests from the 43.Xr audit 8 44utility and notifications 45from the kernel. 46It manages the resulting audit log files and specified 47log file locations. 48.Pp 49The options are as follows: 50.Bl -tag -width indent 51.It Fl d 52Starts the daemon in debug mode \[em] it will not daemonize. | 39.Sh DESCRIPTION 40The 41.Nm 42daemon responds to requests from the 43.Xr audit 8 44utility and notifications 45from the kernel. 46It manages the resulting audit log files and specified 47log file locations. 48.Pp 49The options are as follows: 50.Bl -tag -width indent 51.It Fl d 52Starts the daemon in debug mode \[em] it will not daemonize. |
| 53.It Fl l 54This option is for when 55.Nm 56is configured to start on-demand using 57.Xr launchd 8 . |
|
| 53.El | 58.El |
| 59.Pp 60Optionally, the audit review group "audit" may be created. 61Non-privileged 62users that are members of this group may read the audit trail log files. |
|
| 54.Sh NOTE 55To assure uninterrupted audit support, the 56.Nm 57daemon should not be started and stopped manually. 58Instead, the 59.Xr audit 8 60command 61should be used to inform the daemon to change state/configuration after altering 62the 63.Pa audit_control 64file. 65.Pp | 63.Sh NOTE 64To assure uninterrupted audit support, the 65.Nm 66daemon should not be started and stopped manually. 67Instead, the 68.Xr audit 8 69command 70should be used to inform the daemon to change state/configuration after altering 71the 72.Pa audit_control 73file. 74.Pp |
| 66.\" Sending a 67.\" .Dv SIGHUP 68.\" to a running 69.\" .Nm 70.\" daemon will force it to exit. 71Sending a 72.Dv SIGTERM 73to a running | 75If |
| 74.Nm | 76.Nm |
| 75daemon will force it to exit. | 77is started on-demand by 78.Xr launchd 8 79then auditing should only be started and stopped with 80.Xr audit 8 . 81.Pp 82On Mac OS X, 83.Nm 84uses the 85.Xr asl 3 86API for writing system log messages. 87Therefore, only the audit administrator 88and members of the audit review group will be able to read the 89system log entries. |
| 76.Sh FILES | 90.Sh FILES |
| 77.Bl -tag -width ".Pa /var/audit" -compact | 91.Bl -tag -width ".Pa /etc/security" -compact |
| 78.It Pa /var/audit 79Default directory for storing audit log files. | 92.It Pa /var/audit 93Default directory for storing audit log files. |
| 94.Pp 95.It Pa /etc/security 96The directory containing the auditing configuration files 97.Xr audit_class 5 , 98.Xr audit_control 5 , 99.Xr audit_event 5 , 100and 101.Xr audit_warn 5 . |
|
| 80.El 81.Sh COMPATIBILITY 82The historical 83.Fl h 84and 85.Fl s 86flags are now configured using 87.Xr audit_control 5 88policy flags 89.Cm ahlt 90and 91.Cm cnt , 92and are no longer available as arguments to 93.Nm . 94.Sh SEE ALSO | 102.El 103.Sh COMPATIBILITY 104The historical 105.Fl h 106and 107.Fl s 108flags are now configured using 109.Xr audit_control 5 110policy flags 111.Cm ahlt 112and 113.Cm cnt , 114and are no longer available as arguments to 115.Nm . 116.Sh SEE ALSO |
| 117.Xr asl 3 , |
|
| 95.Xr audit 4 , | 118.Xr audit 4 , |
| 119.Xr audit_class 5 , |
|
| 96.Xr audit_control 5 , | 120.Xr audit_control 5 , |
| 97.Xr audit 8 | 121.Xr audit_event 5 , 122.Xr audit_warn 5 , 123.Xr audit 8 , 124.Xr launchd 8 |
| 98.Sh HISTORY 99The OpenBSM implementation was created by McAfee Research, the security 100division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. 101It was subsequently adopted by the TrustedBSD Project as the foundation for 102the OpenBSM distribution. 103.Sh AUTHORS 104.An -nosplit 105This software was created by McAfee Research, the security research division 106of McAfee, Inc., under contract to Apple Computer Inc. 107Additional authors include 108.An Wayne Salamon , 109.An Robert Watson , 110and SPARTA Inc. 111.Pp 112The Basic Security Module (BSM) interface to audit records and audit event 113stream format were defined by Sun Microsystems. | 125.Sh HISTORY 126The OpenBSM implementation was created by McAfee Research, the security 127division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. 128It was subsequently adopted by the TrustedBSD Project as the foundation for 129the OpenBSM distribution. 130.Sh AUTHORS 131.An -nosplit 132This software was created by McAfee Research, the security research division 133of McAfee, Inc., under contract to Apple Computer Inc. 134Additional authors include 135.An Wayne Salamon , 136.An Robert Watson , 137and SPARTA Inc. 138.Pp 139The Basic Security Module (BSM) interface to audit records and audit event 140stream format were defined by Sun Microsystems. |