| audit_control.5 (185573) | audit_control.5 (189279) |
|---|---|
| 1.\" Copyright (c) 2004 Apple Inc. | 1.\" Copyright (c) 2004-2009 Apple Inc. |
| 2.\" Copyright (c) 2006 Robert N. M. Watson 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. --- 11 unchanged lines hidden (view full) --- 21.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27.\" POSSIBILITY OF SUCH DAMAGE. 28.\" | 2.\" Copyright (c) 2006 Robert N. M. Watson 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. --- 11 unchanged lines hidden (view full) --- 21.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27.\" POSSIBILITY OF SUCH DAMAGE. 28.\" |
| 29.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#20 $ | 29.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#22 $ |
| 30.\" | 30.\" |
| 31.Dd January 4, 2006 | 31.Dd January 29, 2009 |
| 32.Dt AUDIT_CONTROL 5 33.Os 34.Sh NAME 35.Nm audit_control 36.Nd "audit system parameters" 37.Sh DESCRIPTION 38The 39.Nm --- 41 unchanged lines hidden (view full) --- 81A list of global audit policy flags specifying various behaviors, such as 82fail stop, auditing of paths and arguments, etc. 83.It Va filesz 84Maximum trail size in bytes; if set to a non-0 value, the audit daemon will 85rotate the audit trail file at around this size. 86Sizes less than the minimum trail size (default of 512K) will be rejected as 87invalid. 88If 0, trail files will not be automatically rotated based on file size. | 32.Dt AUDIT_CONTROL 5 33.Os 34.Sh NAME 35.Nm audit_control 36.Nd "audit system parameters" 37.Sh DESCRIPTION 38The 39.Nm --- 41 unchanged lines hidden (view full) --- 81A list of global audit policy flags specifying various behaviors, such as 82fail stop, auditing of paths and arguments, etc. 83.It Va filesz 84Maximum trail size in bytes; if set to a non-0 value, the audit daemon will 85rotate the audit trail file at around this size. 86Sizes less than the minimum trail size (default of 512K) will be rejected as 87invalid. 88If 0, trail files will not be automatically rotated based on file size. |
| 89For convenience, the trail size may be expressed with suffix letters: 90B (Bytes), K (Kilobytes), M (Megabytes), or G (Gigabytes). 91For example, 2M is the same as 2097152. 92.It Va expire-after 93Specifies when audit log files will expire and be removed. 94This may be after a time period has passed since the file was last 95written to or when the aggregate of all the trail files have reached a 96specified size or a combination of both. 97If no expire-after parameter is given then audit log files with not 98expire and be removed by the audit control system. 99See the information below for the format of the expiration 100specification. |
|
| 89.El 90.Sh AUDIT FLAGS 91Audit flags are a comma-delimited list of audit classes as defined in the 92.Xr audit_class 5 93file. 94Event classes may be preceded by a prefix which changes their interpretation. 95The following prefixes may be used for each class: 96.Pp --- 68 unchanged lines hidden (view full) --- 165.El 166.Pp 167It is recommended that installations set the 168.Cm cnt 169flag but not 170.Cm ahlt 171flag unless it is intended that audit logs exceeding available disk space 172halt the system. | 101.El 102.Sh AUDIT FLAGS 103Audit flags are a comma-delimited list of audit classes as defined in the 104.Xr audit_class 5 105file. 106Event classes may be preceded by a prefix which changes their interpretation. 107The following prefixes may be used for each class: 108.Pp --- 68 unchanged lines hidden (view full) --- 177.El 178.Pp 179It is recommended that installations set the 180.Cm cnt 181flag but not 182.Cm ahlt 183flag unless it is intended that audit logs exceeding available disk space 184halt the system. |
| 185.Sh AUDIT LOG EXPIRATION SPECIFICATION 186The expiration specification can be one value or two values with the 187logical conjunction of AND/OR between them. 188Values for the audit log file age are numbers with the following 189suffixes: 190.Pp 191.Bl -tag -width "(space) or" -compact -offset indent 192.It Li s 193Log file age in seconds. 194.It Li h 195Log file age in hours. 196.It Li d 197Log file age in days. 198.It Li y 199Log file age in years. 200.El 201.Pp 202Values for the disk space used are numbers with the following suffixes: 203.Pp 204.Bl -tag -width "(space) or" -compact -offset indent 205.It (space) or 206.It Li B 207Disk space used in Bytes. 208.It Li K 209Disk space used in Kilobytes. 210.It Li M 211Disk space used in Megabytes. 212.It Li G 213Disk space used in Gigabytes. 214.El 215.Pp 216The suffixes on the values are case sensitive. 217If both an age and disk space value are used they are seperated by 218AND or OR and both values are used to determine when audit 219log files expire. 220In the case of AND, both the age and disk space conditions must be meet 221before the log file is removed. 222In the case of OR, either condition may expire the log file. 223For example: 224.Bd -literal -offset indent 225expire-after: 60d AND 1G 226.Ed 227.Pp 228will expire files that are older than 60 days but only if 1 229gigabyte of disk space total is being used by the audit logs. |
|
| 173.Sh DEFAULT 174The following settings appear in the default 175.Nm 176file: 177.Bd -literal -offset indent 178dir:/var/audit 179flags:lo | 230.Sh DEFAULT 231The following settings appear in the default 232.Nm 233file: 234.Bd -literal -offset indent 235dir:/var/audit 236flags:lo |
| 180minfree:20 | 237minfree:5 |
| 181naflags:lo | 238naflags:lo |
| 182policy:cnt 183filesz:0 | 239policy:cnt,argv 240filesz:2097152 |
| 184.Ed 185.Pp 186The 187.Va flags 188parameter above specifies the system-wide mask corresponding to login/logout 189events. 190The 191.Va policy 192parameter specifies that the system should neither fail stop nor suspend | 241.Ed 242.Pp 243The 244.Va flags 245parameter above specifies the system-wide mask corresponding to login/logout 246events. 247The 248.Va policy 249parameter specifies that the system should neither fail stop nor suspend |
| 193processes when the audit store fills. 194The trail file will not be automatically rotated by the audit daemon based on 195file size. | 250processes when the audit store fills and that command line arguments should 251be audited for 252.Dv AUE_EXECVE 253events. 254The trail file will be automatically rotated by the audit daemon when the 255file size reaches approximately 2MB. |
| 196.Sh FILES 197.Bl -tag -width ".Pa /etc/security/audit_control" -compact 198.It Pa /etc/security/audit_control 199.El 200.Sh SEE ALSO 201.Xr auditon 2 , 202.Xr audit 4 , 203.Xr audit_class 5 , --- 20 unchanged lines hidden --- | 256.Sh FILES 257.Bl -tag -width ".Pa /etc/security/audit_control" -compact 258.It Pa /etc/security/audit_control 259.El 260.Sh SEE ALSO 261.Xr auditon 2 , 262.Xr audit 4 , 263.Xr audit_class 5 , --- 20 unchanged lines hidden --- |