audit_control.5 (155131) | audit_control.5 (155364) |
---|---|
1.\" Copyright (c) 2004 Apple Computer, Inc. 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. --- 11 unchanged lines hidden (view full) --- 20.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 24.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 25.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26.\" POSSIBILITY OF SUCH DAMAGE. 27.\" | 1.\" Copyright (c) 2004 Apple Computer, Inc. 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. --- 11 unchanged lines hidden (view full) --- 20.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 24.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 25.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26.\" POSSIBILITY OF SUCH DAMAGE. 27.\" |
28.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#5 $ | 28.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#9 $ |
29.\" | 29.\" |
30.Dd Jan 24, 2004 | 30.Dd January 4, 2006 |
31.Dt AUDIT_CONTROL 5 32.Os 33.Sh NAME 34.Nm audit_control 35.Nd "contains audit system parameters" 36.Sh DESCRIPTION 37The 38.Nm 39file contains several audit system parameters. 40Each line of this file is of the form: | 31.Dt AUDIT_CONTROL 5 32.Os 33.Sh NAME 34.Nm audit_control 35.Nd "contains audit system parameters" 36.Sh DESCRIPTION 37The 38.Nm 39file contains several audit system parameters. 40Each line of this file is of the form: |
41.Dl parameter:value. | 41.Pp 42.Dl parameter:value 43.Pp |
42The parameters are: 43.Bl -tag -width Ds 44.It Pa dir 45The directory where audit log files are stored. 46There may be more than one of these entries. 47Changes to this entry can only be enacted by restarting the 48audit system. 49See --- 8 unchanged lines hidden (view full) --- 58Contains the audit flags that define what classes of events are audited when 59an action cannot be attributed to a specific user. 60.It Va minfree 61The minimum free space required on the file system audit logs are being written to. 62When the free space falls below this limit a warning will be issued. 63Not currently used as the value of 20 percent is chosen by the kernel. 64.El 65.Sh AUDIT FLAGS | 44The parameters are: 45.Bl -tag -width Ds 46.It Pa dir 47The directory where audit log files are stored. 48There may be more than one of these entries. 49Changes to this entry can only be enacted by restarting the 50audit system. 51See --- 8 unchanged lines hidden (view full) --- 60Contains the audit flags that define what classes of events are audited when 61an action cannot be attributed to a specific user. 62.It Va minfree 63The minimum free space required on the file system audit logs are being written to. 64When the free space falls below this limit a warning will be issued. 65Not currently used as the value of 20 percent is chosen by the kernel. 66.El 67.Sh AUDIT FLAGS |
66Audit flags are a comma delimited list of audit classes as defined in the 67audit_class file. | 68Audit flags are a comma-delimited list of audit classes as defined in the 69.Pa audit_class 70file. |
68See 69.Xr audit_class 5 70for details. 71Event classes may be preceded by a prefix which changes their interpretation. 72The following prefixes may be used for each class: | 71See 72.Xr audit_class 5 73for details. 74Event classes may be preceded by a prefix which changes their interpretation. 75The following prefixes may be used for each class: |
76.Pp |
|
73.Bl -tag -width Ds -compact -offset indent 74.It + 75Record successful events 76.It - 77Record failed events 78.It ^ 79Record both successful and failed events 80.It ^+ | 77.Bl -tag -width Ds -compact -offset indent 78.It + 79Record successful events 80.It - 81Record failed events 82.It ^ 83Record both successful and failed events 84.It ^+ |
81Don't record successful events | 85Do not record successful events |
82.It ^- | 86.It ^- |
83Don't record failed events | 87Do not record failed events |
84.El 85.Sh DEFAULT 86The following settings appear in the default 87.Nm 88file: 89.Bd -literal -offset indent 90dir:/var/audit | 88.El 89.Sh DEFAULT 90The following settings appear in the default 91.Nm 92file: 93.Bd -literal -offset indent 94dir:/var/audit |
91flags:lo,ad,-all,^-fc,^-cl | 95flags:lo |
92minfree:20 93naflags:lo 94.Ed 95.Pp 96The 97.Va flags 98parameter above specifies the system-wide mask corresponding to login/logout | 96minfree:20 97naflags:lo 98.Ed 99.Pp 100The 101.Va flags 102parameter above specifies the system-wide mask corresponding to login/logout |
99events, administrative events, and all failures except for failures in creating 100or closing files. | 103events. |
101.Sh FILES 102.Bl -tag -width "/etc/security/audit_control" -compact 103.It Pa /etc/security/audit_control 104.El 105.Sh SEE ALSO | 104.Sh FILES 105.Bl -tag -width "/etc/security/audit_control" -compact 106.It Pa /etc/security/audit_control 107.El 108.Sh SEE ALSO |
106.Xr audit 1 , 107.Xr auditd 8 , | |
108.Xr audit_class 5 , | 109.Xr audit_class 5 , |
109.Xr audit_user 5 | 110.Xr audit_user 5 , 111.Xr audit 8 , 112.Xr auditd 8 |
110.Sh AUTHORS 111This software was created by McAfee Research, the security research division 112of McAfee, Inc., under contract to Apple Computer Inc. 113Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. 114.Pp 115The Basic Security Module (BSM) interface to audit records and audit event 116stream format were defined by Sun Microsystems. 117.Sh HISTORY 118The OpenBSM implementation was created by McAfee Research, the security 119division of McAfee Inc., under contract to Apple Computer Inc. in 2004. 120It was subsequently adopted by the TrustedBSD Project as the foundation for 121the OpenBSM distribution. | 113.Sh AUTHORS 114This software was created by McAfee Research, the security research division 115of McAfee, Inc., under contract to Apple Computer Inc. 116Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. 117.Pp 118The Basic Security Module (BSM) interface to audit records and audit event 119stream format were defined by Sun Microsystems. 120.Sh HISTORY 121The OpenBSM implementation was created by McAfee Research, the security 122division of McAfee Inc., under contract to Apple Computer Inc. in 2004. 123It was subsequently adopted by the TrustedBSD Project as the foundation for 124the OpenBSM distribution. |