xref: /freebsd/contrib/openbsm/bin/auditd/auditd.8 (revision 72a600a7a1908f1e778f54e08bd60a93be87dd33)

.\" Copyright (c) 2004 Apple Inc.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1.  Redistributions of source code must retain the above copyright
.\"     notice, this list of conditions and the following disclaimer.
.\" 2.  Redistributions in binary form must reproduce the above copyright
.\"     notice, this list of conditions and the following disclaimer in the
.\"     documentation and/or other materials provided with the distribution.
.\" 3.  Neither the name of Apple Inc. ("Apple") nor the names of
.\"     its contributors may be used to endorse or promote products derived
.\"     from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
.\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
.\" DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
.\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd April 18, 2020
.Dt AUDITD 8
.Os
.Sh NAME
.Nm auditd
.Nd audit log management daemon
.Sh SYNOPSIS
.Nm
.Op Fl d | l
.Sh DESCRIPTION
The
.Nm
daemon responds to requests from the
.Xr audit 8
utility and notifications
from the kernel.
It manages the resulting audit log files and specified
log file locations.
.Pp
The options are as follows:
.Bl -tag -width indent
.It Fl d
Starts the daemon in debug mode \[em] it will not daemonize.
.It Fl l
This option is for when
.Nm
is configured to start on-demand using
.Xr launchd 8 .
.El
.Pp
Optionally, the audit review group "audit" may be created.
Non-privileged
users that are members of this group may read the audit trail log files.
.Sh NOTE
To assure uninterrupted audit support, the
.Nm
daemon should not be started and stopped manually.
Instead, the
.Xr audit 8
command
should be used to inform the daemon to change state/configuration after altering
the
.Pa audit_control
file.
.Pp
If
.Nm
is started on-demand by
.Xr launchd 8
then auditing should only be started and stopped with
.Xr audit 8 .
.Pp
On Mac OS X,
.Nm
uses the
.Xr asl 3
API for writing system log messages.
Therefore, only the audit administrator
and members of the audit review group will be able to read the
system log entries.
.Sh FILES
.Bl -tag -width ".Pa /etc/security" -compact
.It Pa /var/audit
Default directory for storing audit log files.
.Pp
.It Pa /etc/security
The directory containing the auditing configuration files
.Xr audit_class 5 ,
.Xr audit_control 5 ,
.Xr audit_event 5 ,
and
.Xr audit_warn 5 .
.El
.Sh COMPATIBILITY
The historical
.Fl h
and
.Fl s
flags are now configured using
.Xr audit_control 5
policy flags
.Cm ahlt
and
.Cm cnt ,
and are no longer available as arguments to
.Nm .
.Sh SEE ALSO
.Xr asl 3 ,
.Xr audit 4 ,
.Xr audit_class 5 ,
.Xr audit_control 5 ,
.Xr audit_event 5 ,
.Xr audit_warn 5 ,
.Xr audit 8 ,
.Xr auditdistd 8 ,
.Xr launchd 8 (Mac OS X)
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
.Sh AUTHORS
.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
Additional authors include
.An Wayne Salamon ,
.An Robert Watson ,
and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.