audit_control.5 (189279) | audit_control.5 (195740) |
---|---|
1.\" Copyright (c) 2004-2009 Apple Inc. 2.\" Copyright (c) 2006 Robert N. M. Watson 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright --- 12 unchanged lines hidden (view full) --- 21.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27.\" POSSIBILITY OF SUCH DAMAGE. 28.\" | 1.\" Copyright (c) 2004-2009 Apple Inc. 2.\" Copyright (c) 2006 Robert N. M. Watson 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright --- 12 unchanged lines hidden (view full) --- 21.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27.\" POSSIBILITY OF SUCH DAMAGE. 28.\" |
29.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#22 $ | 29.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#23 $ |
30.\" | 30.\" |
31.Dd January 29, 2009 | 31.Dd May 14, 2009 |
32.Dt AUDIT_CONTROL 5 33.Os 34.Sh NAME 35.Nm audit_control 36.Nd "audit system parameters" 37.Sh DESCRIPTION 38The 39.Nm --- 49 unchanged lines hidden (view full) --- 89For convenience, the trail size may be expressed with suffix letters: 90B (Bytes), K (Kilobytes), M (Megabytes), or G (Gigabytes). 91For example, 2M is the same as 2097152. 92.It Va expire-after 93Specifies when audit log files will expire and be removed. 94This may be after a time period has passed since the file was last 95written to or when the aggregate of all the trail files have reached a 96specified size or a combination of both. | 32.Dt AUDIT_CONTROL 5 33.Os 34.Sh NAME 35.Nm audit_control 36.Nd "audit system parameters" 37.Sh DESCRIPTION 38The 39.Nm --- 49 unchanged lines hidden (view full) --- 89For convenience, the trail size may be expressed with suffix letters: 90B (Bytes), K (Kilobytes), M (Megabytes), or G (Gigabytes). 91For example, 2M is the same as 2097152. 92.It Va expire-after 93Specifies when audit log files will expire and be removed. 94This may be after a time period has passed since the file was last 95written to or when the aggregate of all the trail files have reached a 96specified size or a combination of both. |
97If no expire-after parameter is given then audit log files with not | 97If no expire-after parameter is given then audit log files will not |
98expire and be removed by the audit control system. 99See the information below for the format of the expiration 100specification. 101.El 102.Sh AUDIT FLAGS 103Audit flags are a comma-delimited list of audit classes as defined in the 104.Xr audit_class 5 105file. --- 106 unchanged lines hidden (view full) --- 212.It Li G 213Disk space used in Gigabytes. 214.El 215.Pp 216The suffixes on the values are case sensitive. 217If both an age and disk space value are used they are seperated by 218AND or OR and both values are used to determine when audit 219log files expire. | 98expire and be removed by the audit control system. 99See the information below for the format of the expiration 100specification. 101.El 102.Sh AUDIT FLAGS 103Audit flags are a comma-delimited list of audit classes as defined in the 104.Xr audit_class 5 105file. --- 106 unchanged lines hidden (view full) --- 212.It Li G 213Disk space used in Gigabytes. 214.El 215.Pp 216The suffixes on the values are case sensitive. 217If both an age and disk space value are used they are seperated by 218AND or OR and both values are used to determine when audit 219log files expire. |
220In the case of AND, both the age and disk space conditions must be meet | 220In the case of AND, both the age and disk space conditions must be met |
221before the log file is removed. 222In the case of OR, either condition may expire the log file. 223For example: 224.Bd -literal -offset indent 225expire-after: 60d AND 1G 226.Ed 227.Pp 228will expire files that are older than 60 days but only if 1 229gigabyte of disk space total is being used by the audit logs. 230.Sh DEFAULT 231The following settings appear in the default 232.Nm 233file: 234.Bd -literal -offset indent 235dir:/var/audit | 221before the log file is removed. 222In the case of OR, either condition may expire the log file. 223For example: 224.Bd -literal -offset indent 225expire-after: 60d AND 1G 226.Ed 227.Pp 228will expire files that are older than 60 days but only if 1 229gigabyte of disk space total is being used by the audit logs. 230.Sh DEFAULT 231The following settings appear in the default 232.Nm 233file: 234.Bd -literal -offset indent 235dir:/var/audit |
236flags:lo | 236flags:lo,aa |
237minfree:5 | 237minfree:5 |
238naflags:lo | 238naflags:lo,aa |
239policy:cnt,argv | 239policy:cnt,argv |
240filesz:2097152 | 240filesz:2M 241expire-after:10M |
241.Ed 242.Pp 243The 244.Va flags 245parameter above specifies the system-wide mask corresponding to login/logout | 242.Ed 243.Pp 244The 245.Va flags 246parameter above specifies the system-wide mask corresponding to login/logout |
246events. | 247as well as authentication and authorization events. |
247The 248.Va policy 249parameter specifies that the system should neither fail stop nor suspend 250processes when the audit store fills and that command line arguments should 251be audited for 252.Dv AUE_EXECVE 253events. 254The trail file will be automatically rotated by the audit daemon when the 255file size reaches approximately 2MB. | 248The 249.Va policy 250parameter specifies that the system should neither fail stop nor suspend 251processes when the audit store fills and that command line arguments should 252be audited for 253.Dv AUE_EXECVE 254events. 255The trail file will be automatically rotated by the audit daemon when the 256file size reaches approximately 2MB. |
257Trail files will expire when their aggregate size exceeds 10MB. |
|
256.Sh FILES 257.Bl -tag -width ".Pa /etc/security/audit_control" -compact 258.It Pa /etc/security/audit_control 259.El 260.Sh SEE ALSO 261.Xr auditon 2 , 262.Xr audit 4 , 263.Xr audit_class 5 , --- 20 unchanged lines hidden --- | 258.Sh FILES 259.Bl -tag -width ".Pa /etc/security/audit_control" -compact 260.It Pa /etc/security/audit_control 261.El 262.Sh SEE ALSO 263.Xr auditon 2 , 264.Xr audit 4 , 265.Xr audit_class 5 , --- 20 unchanged lines hidden --- |