1.\" Copyright (c) 2004 Apple Inc. 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 3. Neither the name of Apple Inc. ("Apple") nor the names of 14.\" its contributors may be used to endorse or promote products derived 15.\" from this software without specific prior written permission. 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 18.\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 19.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20.\" DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 21.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 22.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 23.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 24.\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27.\" 28.Dd July 25, 2015 29.Dt AUDITD 8 30.Os 31.Sh NAME 32.Nm auditd 33.Nd audit log management daemon 34.Sh SYNOPSIS 35.Nm 36.Op Fl d | l 37.Sh DESCRIPTION 38The 39.Nm 40daemon responds to requests from the 41.Xr audit 8 42utility and notifications 43from the kernel. 44It manages the resulting audit log files and specified 45log file locations. 46.Pp 47The options are as follows: 48.Bl -tag -width indent 49.It Fl d 50Starts the daemon in debug mode \[em] it will not daemonize. 51.It Fl l 52This option is for when 53.Nm 54is configured to start on-demand using 55.Xr launchd 8 . 56.El 57.Pp 58Optionally, the audit review group "audit" may be created. 59Non-privileged 60users that are members of this group may read the audit trail log files. 61.Sh NOTE 62To assure uninterrupted audit support, the 63.Nm 64daemon should not be started and stopped manually. 65Instead, the 66.Xr audit 8 67command 68should be used to inform the daemon to change state/configuration after altering 69the 70.Pa audit_control 71file. 72.Pp 73If 74.Nm 75is started on-demand by 76.Xr launchd 8 77then auditing should only be started and stopped with 78.Xr audit 8 . 79.Pp 80On Mac OS X, 81.Nm 82uses the 83.Xr asl 3 84API for writing system log messages. 85Therefore, only the audit administrator 86and members of the audit review group will be able to read the 87system log entries. 88.Sh FILES 89.Bl -tag -width ".Pa /etc/security" -compact 90.It Pa /var/audit 91Default directory for storing audit log files. 92.Pp 93.It Pa /etc/security 94The directory containing the auditing configuration files 95.Xr audit_class 5 , 96.Xr audit_control 5 , 97.Xr audit_event 5 , 98and 99.Xr audit_warn 5 . 100.El 101.Sh COMPATIBILITY 102The historical 103.Fl h 104and 105.Fl s 106flags are now configured using 107.Xr audit_control 5 108policy flags 109.Cm ahlt 110and 111.Cm cnt , 112and are no longer available as arguments to 113.Nm . 114.Sh SEE ALSO 115.Xr asl 3 , 116.Xr libauditd 3 , 117.Xr audit 4 , 118.Xr audit_class 5 , 119.Xr audit_control 5 , 120.Xr audit_event 5 , 121.Xr audit_warn 5 , 122.Xr audit 8 , 123.Xr auditdistd 8 , 124.Xr launchd 8 (Mac OS X) 125.Sh HISTORY 126The OpenBSM implementation was created by McAfee Research, the security 127division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. 128It was subsequently adopted by the TrustedBSD Project as the foundation for 129the OpenBSM distribution. 130.Sh AUTHORS 131.An -nosplit 132This software was created by McAfee Research, the security research division 133of McAfee, Inc., under contract to Apple Computer Inc. 134Additional authors include 135.An Wayne Salamon , 136.An Robert Watson , 137and SPARTA Inc. 138.Pp 139The Basic Security Module (BSM) interface to audit records and audit event 140stream format were defined by Sun Microsystems. 141