106edd2f1SRobert Watson.\" Copyright (c) 2004-2009 Apple Inc. 2*5e386598SRobert Watson.\" Copyright (c) 2006, 2016 Robert N. M. Watson 3ca0716f5SRobert Watson.\" All rights reserved. 4ca0716f5SRobert Watson.\" 5*5e386598SRobert Watson.\" Portions of this software were developed by BAE Systems, the University of 6*5e386598SRobert Watson.\" Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL 7*5e386598SRobert Watson.\" contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent 8*5e386598SRobert Watson.\" Computing (TC) research program. 9*5e386598SRobert Watson.\" 10ca0716f5SRobert Watson.\" Redistribution and use in source and binary forms, with or without 11ca0716f5SRobert Watson.\" modification, are permitted provided that the following conditions 12ca0716f5SRobert Watson.\" are met: 13ca0716f5SRobert Watson.\" 1. Redistributions of source code must retain the above copyright 14ca0716f5SRobert Watson.\" notice, this list of conditions and the following disclaimer. 15ca0716f5SRobert Watson.\" 2. Redistributions in binary form must reproduce the above copyright 16ca0716f5SRobert Watson.\" notice, this list of conditions and the following disclaimer in the 17ca0716f5SRobert Watson.\" documentation and/or other materials provided with the distribution. 1852267f74SRobert Watson.\" 3. Neither the name of Apple Inc. ("Apple") nor the names of 19ca0716f5SRobert Watson.\" its contributors may be used to endorse or promote products derived 20ca0716f5SRobert Watson.\" from this software without specific prior written permission. 21ca0716f5SRobert Watson.\" 22ca0716f5SRobert Watson.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 23ca0716f5SRobert Watson.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24ca0716f5SRobert Watson.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25ca0716f5SRobert Watson.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 26ca0716f5SRobert Watson.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27ca0716f5SRobert Watson.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28ca0716f5SRobert Watson.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29ca0716f5SRobert Watson.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 30ca0716f5SRobert Watson.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 31ca0716f5SRobert Watson.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 32ca0716f5SRobert Watson.\" POSSIBILITY OF SUCH DAMAGE. 33ca0716f5SRobert Watson.\" 34*5e386598SRobert Watson.Dd August 19, 2016 35ca0716f5SRobert Watson.Dt AUDIT_CONTROL 5 36ca0716f5SRobert Watson.Os 37ca0716f5SRobert Watson.Sh NAME 38ca0716f5SRobert Watson.Nm audit_control 39bc168a6cSRobert Watson.Nd "audit system parameters" 40ca0716f5SRobert Watson.Sh DESCRIPTION 41ca0716f5SRobert WatsonThe 42ca0716f5SRobert Watson.Nm 43ca0716f5SRobert Watsonfile contains several audit system parameters. 44ca0716f5SRobert WatsonEach line of this file is of the form: 4523bf6e20SRobert Watson.Pp 46bc168a6cSRobert Watson.D1 Ar parameter Ns : Ns Ar value 4723bf6e20SRobert Watson.Pp 48ca0716f5SRobert WatsonThe parameters are: 49bc168a6cSRobert Watson.Bl -tag -width indent 50bc168a6cSRobert Watson.It Va dir 51ca0716f5SRobert WatsonThe directory where audit log files are stored. 52ca0716f5SRobert WatsonThere may be more than one of these entries. 53ca0716f5SRobert WatsonChanges to this entry can only be enacted by restarting the 54ca0716f5SRobert Watsonaudit system. 55ca0716f5SRobert WatsonSee 56bc168a6cSRobert Watson.Xr audit 8 57ca0716f5SRobert Watsonfor a description of how to restart the audit system. 58aa772005SRobert Watson.It Va dist 59aa772005SRobert WatsonWhen set to 60aa772005SRobert Watson.Va on 61aa772005SRobert Watsonor 62aa772005SRobert Watson.Va yes , 63aa772005SRobert Watson.Xr auditd 8 64aa772005SRobert Watsonwill be creating hardlinks to all trail files in 65aa772005SRobert Watson.Pa /var/audit/dist 66aa772005SRobert Watsondirectory. 67aa772005SRobert WatsonThose hardlinks will be consumed by the 68aa772005SRobert Watson.Xr auditdistd 8 69aa772005SRobert Watsondaemon. 70ca0716f5SRobert Watson.It Va flags 71ca0716f5SRobert WatsonSpecifies which audit event classes are audited for all users. 72ca0716f5SRobert Watson.Xr audit_user 5 73ca0716f5SRobert Watsondescribes how to audit events for individual users. 74ca0716f5SRobert WatsonSee the information below for the format of the audit flags. 7552267f74SRobert Watson.It Va host 7652267f74SRobert WatsonSpecify the hostname or IP address to be used when setting the local 7752267f74SRobert Watsonsystems's audit host information. 7852267f74SRobert WatsonThis hostname will be converted into an IP or IPv6 address and will 7952267f74SRobert Watsonbe included in the header of each audit record. 8052267f74SRobert WatsonDue to the possibility of transient errors coupled with the 8152267f74SRobert Watsonsecurity issues in the DNS protocol itself, the use of DNS 8252267f74SRobert Watsonshould be avoided. 8352267f74SRobert WatsonInstead, it is strongly recommended that the hostname be 8452267f74SRobert Watsonspecified in the /etc/hosts file. 8552267f74SRobert WatsonFor more information see 8652267f74SRobert Watson.Xr hosts 5 . 87ca0716f5SRobert Watson.It Va naflags 88ca0716f5SRobert WatsonContains the audit flags that define what classes of events are audited when 89ca0716f5SRobert Watsonan action cannot be attributed to a specific user. 90ca0716f5SRobert Watson.It Va minfree 91ca0716f5SRobert WatsonThe minimum free space required on the file system audit logs are being written to. 92ca0716f5SRobert WatsonWhen the free space falls below this limit a warning will be issued. 9352267f74SRobert WatsonIf no value for the minimum free space is set, the default of 20 percent is 9452267f74SRobert Watsonapplied by the kernel. 95bb97b418SRobert Watson.It Va policy 96bb97b418SRobert WatsonA list of global audit policy flags specifying various behaviors, such as 97bb97b418SRobert Watsonfail stop, auditing of paths and arguments, etc. 984bd0c025SRobert Watson.It Va filesz 994bd0c025SRobert WatsonMaximum trail size in bytes; if set to a non-0 value, the audit daemon will 1004bd0c025SRobert Watsonrotate the audit trail file at around this size. 1014bd0c025SRobert WatsonSizes less than the minimum trail size (default of 512K) will be rejected as 1024bd0c025SRobert Watsoninvalid. 1034bd0c025SRobert WatsonIf 0, trail files will not be automatically rotated based on file size. 10406edd2f1SRobert WatsonFor convenience, the trail size may be expressed with suffix letters: 10506edd2f1SRobert WatsonB (Bytes), K (Kilobytes), M (Megabytes), or G (Gigabytes). 10606edd2f1SRobert WatsonFor example, 2M is the same as 2097152. 10706edd2f1SRobert Watson.It Va expire-after 10806edd2f1SRobert WatsonSpecifies when audit log files will expire and be removed. 10906edd2f1SRobert WatsonThis may be after a time period has passed since the file was last 11006edd2f1SRobert Watsonwritten to or when the aggregate of all the trail files have reached a 11106edd2f1SRobert Watsonspecified size or a combination of both. 112597df30eSRobert WatsonIf no expire-after parameter is given then audit log files will not 11306edd2f1SRobert Watsonexpire and be removed by the audit control system. 11406edd2f1SRobert WatsonSee the information below for the format of the expiration 11506edd2f1SRobert Watsonspecification. 116*5e386598SRobert Watson.It Va qsize 117*5e386598SRobert WatsonSpecifies the maximum number of outstanding committed audit records that can 118*5e386598SRobert Watsonbe in the kernel's post-commit queue pending write to disk. 119*5e386598SRobert WatsonIf this number has been reached, user threads performing an auditable event 120*5e386598SRobert Watsonwill be suspended until the queue has fallen below the limit. 121*5e386598SRobert WatsonDepending on the underlying kernel implementation, the number of in-flight 122*5e386598SRobert Watsonrecords can exceed this number, as it does not constrain uncommitted records 123*5e386598SRobert Watson(e.g., those associated with incomplete auditable system calls), and may also 124*5e386598SRobert Watsonexclude the set of records extracted from the queue and currently being 125*5e386598SRobert Watsonprepared for or undergoing I/O. 126*5e386598SRobert WatsonOther operational limits may be affected by this parameter, such as the 127*5e386598SRobert Watsonminimum free space on disk required to continue system operation, estimated as 128*5e386598SRobert Watsonthe maximum number of allowable in-flight records multiplied by the maximum 129*5e386598SRobert Watsonaudit record size. 130ca0716f5SRobert Watson.El 131ca0716f5SRobert Watson.Sh AUDIT FLAGS 13223bf6e20SRobert WatsonAudit flags are a comma-delimited list of audit classes as defined in the 133ca0716f5SRobert Watson.Xr audit_class 5 134bc168a6cSRobert Watsonfile. 135ca0716f5SRobert WatsonEvent classes may be preceded by a prefix which changes their interpretation. 136ca0716f5SRobert WatsonThe following prefixes may be used for each class: 13723bf6e20SRobert Watson.Pp 138bc168a6cSRobert Watson.Bl -tag -width indent -compact -offset indent 1394bd0c025SRobert Watson.It (none) 140bc168a6cSRobert WatsonRecord both successful and failed events. 141bc168a6cSRobert Watson.It Li + 142bc168a6cSRobert WatsonRecord successful events. 143bc168a6cSRobert Watson.It Li - 144bc168a6cSRobert WatsonRecord failed events. 145bc168a6cSRobert Watson.It Li ^ 146bc168a6cSRobert WatsonRecord neither successful nor failed events. 147bc168a6cSRobert Watson.It Li ^+ 148bc168a6cSRobert WatsonDo not record successful events. 149bc168a6cSRobert Watson.It Li ^- 150bc168a6cSRobert WatsonDo not record failed events. 151ca0716f5SRobert Watson.El 152bb97b418SRobert Watson.Sh AUDIT POLICY FLAGS 153bb97b418SRobert WatsonThe policy flags field is a comma-delimited list of policy flags from the 154bb97b418SRobert Watsonfollowing list: 155bb97b418SRobert Watson.Pp 156bc168a6cSRobert Watson.Bl -tag -width ".Cm zonename" -compact -offset indent 157bc168a6cSRobert Watson.It Cm cnt 158bb97b418SRobert WatsonAllow processes to continue running even though events are not being audited. 159bb97b418SRobert WatsonIf not set, processes will be suspended when the audit store space is 160bb97b418SRobert Watsonexhausted. 161bb97b418SRobert WatsonCurrently, this is not a recoverable state. 162bc168a6cSRobert Watson.It Cm ahlt 163bc168a6cSRobert WatsonFail stop the system if unable to audit an event\[em]this consists of first 164bb97b418SRobert Watsondraining pending records to disk, and then halting the operating system. 165bc168a6cSRobert Watson.It Cm argv 166bb97b418SRobert WatsonAudit command line arguments to 167bb97b418SRobert Watson.Xr execve 2 . 168bc168a6cSRobert Watson.It Cm arge 169bb97b418SRobert WatsonAudit environmental variable arguments to 170bb97b418SRobert Watson.Xr execve 2 . 171bc168a6cSRobert Watson.It Cm seq 172bb97b418SRobert WatsonInclude a unique audit sequence number token in generated audit records (not 173bc168a6cSRobert Watsonimplemented on 174bc168a6cSRobert Watson.Fx 175bc168a6cSRobert Watsonor Darwin). 176bc168a6cSRobert Watson.It Cm group 177bb97b418SRobert WatsonInclude supplementary groups list in generated audit records (not implemented 178bc168a6cSRobert Watsonon 179bc168a6cSRobert Watson.Fx 180bc168a6cSRobert Watsonor Darwin; supplementary groups are never included in records on 181bb97b418SRobert Watsonthese systems). 182bc168a6cSRobert Watson.It Cm trail 183bc168a6cSRobert WatsonAppend a trailer token to each audit record (not implemented on 184bc168a6cSRobert Watson.Fx 185bc168a6cSRobert Watsonor 186bb97b418SRobert WatsonDarwin; trailers are always included in records on these systems). 187bc168a6cSRobert Watson.It Cm path 188bc168a6cSRobert WatsonInclude secondary file paths in audit records (not implemented on 189bc168a6cSRobert Watson.Fx 190bc168a6cSRobert Watsonor 191bb97b418SRobert WatsonDarwin; secondary paths are never included in records on these systems). 192bc168a6cSRobert Watson.It Cm zonename 193bc168a6cSRobert WatsonInclude a zone ID token with each audit record (not implemented on 194bc168a6cSRobert Watson.Fx 195bc168a6cSRobert Watsonor 196bc168a6cSRobert WatsonDarwin; 197bc168a6cSRobert Watson.Fx 198bc168a6cSRobert Watsonaudit records do not currently include the jail ID or name). 199bc168a6cSRobert Watson.It Cm perzone 200bc168a6cSRobert WatsonEnable auditing for each local zone (not implemented on 201bc168a6cSRobert Watson.Fx 202bc168a6cSRobert Watsonor Darwin; on 203bc168a6cSRobert Watson.Fx , 204bc168a6cSRobert Watsonaudit records are collected from all jails and placed in a single 205bc168a6cSRobert Watsonglobal trail, and only limited audit controls are permitted within a jail). 206bb97b418SRobert Watson.El 207bb97b418SRobert Watson.Pp 208bb97b418SRobert WatsonIt is recommended that installations set the 209bc168a6cSRobert Watson.Cm cnt 210bb97b418SRobert Watsonflag but not 211bc168a6cSRobert Watson.Cm ahlt 212bb97b418SRobert Watsonflag unless it is intended that audit logs exceeding available disk space 213bb97b418SRobert Watsonhalt the system. 21406edd2f1SRobert Watson.Sh AUDIT LOG EXPIRATION SPECIFICATION 21506edd2f1SRobert WatsonThe expiration specification can be one value or two values with the 21606edd2f1SRobert Watsonlogical conjunction of AND/OR between them. 21706edd2f1SRobert WatsonValues for the audit log file age are numbers with the following 21806edd2f1SRobert Watsonsuffixes: 21906edd2f1SRobert Watson.Pp 22006edd2f1SRobert Watson.Bl -tag -width "(space) or" -compact -offset indent 22106edd2f1SRobert Watson.It Li s 22206edd2f1SRobert WatsonLog file age in seconds. 22306edd2f1SRobert Watson.It Li h 22406edd2f1SRobert WatsonLog file age in hours. 22506edd2f1SRobert Watson.It Li d 22606edd2f1SRobert WatsonLog file age in days. 22706edd2f1SRobert Watson.It Li y 22806edd2f1SRobert WatsonLog file age in years. 22906edd2f1SRobert Watson.El 23006edd2f1SRobert Watson.Pp 23106edd2f1SRobert WatsonValues for the disk space used are numbers with the following suffixes: 23206edd2f1SRobert Watson.Pp 23306edd2f1SRobert Watson.Bl -tag -width "(space) or" -compact -offset indent 23406edd2f1SRobert Watson.It (space) or 23506edd2f1SRobert Watson.It Li B 23606edd2f1SRobert WatsonDisk space used in Bytes. 23706edd2f1SRobert Watson.It Li K 23806edd2f1SRobert WatsonDisk space used in Kilobytes. 23906edd2f1SRobert Watson.It Li M 24006edd2f1SRobert WatsonDisk space used in Megabytes. 24106edd2f1SRobert Watson.It Li G 24206edd2f1SRobert WatsonDisk space used in Gigabytes. 24306edd2f1SRobert Watson.El 24406edd2f1SRobert Watson.Pp 24506edd2f1SRobert WatsonThe suffixes on the values are case sensitive. 246aa772005SRobert WatsonIf both an age and disk space value are used they are separated by 24706edd2f1SRobert WatsonAND or OR and both values are used to determine when audit 24806edd2f1SRobert Watsonlog files expire. 249597df30eSRobert WatsonIn the case of AND, both the age and disk space conditions must be met 25006edd2f1SRobert Watsonbefore the log file is removed. 25106edd2f1SRobert WatsonIn the case of OR, either condition may expire the log file. 25206edd2f1SRobert WatsonFor example: 25306edd2f1SRobert Watson.Bd -literal -offset indent 25406edd2f1SRobert Watsonexpire-after: 60d AND 1G 25506edd2f1SRobert Watson.Ed 25606edd2f1SRobert Watson.Pp 25706edd2f1SRobert Watsonwill expire files that are older than 60 days but only if 1 25806edd2f1SRobert Watsongigabyte of disk space total is being used by the audit logs. 259ca0716f5SRobert Watson.Sh DEFAULT 260ca0716f5SRobert WatsonThe following settings appear in the default 261ca0716f5SRobert Watson.Nm 262ca0716f5SRobert Watsonfile: 263ca0716f5SRobert Watson.Bd -literal -offset indent 264ca0716f5SRobert Watsondir:/var/audit 265597df30eSRobert Watsonflags:lo,aa 26606edd2f1SRobert Watsonminfree:5 267597df30eSRobert Watsonnaflags:lo,aa 26806edd2f1SRobert Watsonpolicy:cnt,argv 269597df30eSRobert Watsonfilesz:2M 270597df30eSRobert Watsonexpire-after:10M 271ca0716f5SRobert Watson.Ed 272ca0716f5SRobert Watson.Pp 273ca0716f5SRobert WatsonThe 274ca0716f5SRobert Watson.Va flags 275ca0716f5SRobert Watsonparameter above specifies the system-wide mask corresponding to login/logout 276597df30eSRobert Watsonas well as authentication and authorization events. 277bb97b418SRobert WatsonThe 278bb97b418SRobert Watson.Va policy 279bb97b418SRobert Watsonparameter specifies that the system should neither fail stop nor suspend 28006edd2f1SRobert Watsonprocesses when the audit store fills and that command line arguments should 28106edd2f1SRobert Watsonbe audited for 28206edd2f1SRobert Watson.Dv AUE_EXECVE 28306edd2f1SRobert Watsonevents. 28406edd2f1SRobert WatsonThe trail file will be automatically rotated by the audit daemon when the 28506edd2f1SRobert Watsonfile size reaches approximately 2MB. 286597df30eSRobert WatsonTrail files will expire when their aggregate size exceeds 10MB. 287ca0716f5SRobert Watson.Sh FILES 288bc168a6cSRobert Watson.Bl -tag -width ".Pa /etc/security/audit_control" -compact 289ca0716f5SRobert Watson.It Pa /etc/security/audit_control 290ca0716f5SRobert Watson.El 291ca0716f5SRobert Watson.Sh SEE ALSO 29252267f74SRobert Watson.Xr auditon 2 , 293bc168a6cSRobert Watson.Xr audit 4 , 294ca0716f5SRobert Watson.Xr audit_class 5 , 295bc168a6cSRobert Watson.Xr audit_event 5 , 29623bf6e20SRobert Watson.Xr audit_user 5 , 29723bf6e20SRobert Watson.Xr audit 8 , 29823bf6e20SRobert Watson.Xr auditd 8 299bc168a6cSRobert Watson.Sh HISTORY 300bc168a6cSRobert WatsonThe OpenBSM implementation was created by McAfee Research, the security 301bc168a6cSRobert Watsondivision of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. 302bc168a6cSRobert WatsonIt was subsequently adopted by the TrustedBSD Project as the foundation for 303bc168a6cSRobert Watsonthe OpenBSM distribution. 304ca0716f5SRobert Watson.Sh AUTHORS 305bc168a6cSRobert Watson.An -nosplit 306ca0716f5SRobert WatsonThis software was created by McAfee Research, the security research division 307ca0716f5SRobert Watsonof McAfee, Inc., under contract to Apple Computer Inc. 308bc168a6cSRobert WatsonAdditional authors include 309bc168a6cSRobert Watson.An Wayne Salamon , 310bc168a6cSRobert Watson.An Robert Watson , 311bc168a6cSRobert Watsonand SPARTA Inc. 312ca0716f5SRobert Watson.Pp 313ca0716f5SRobert WatsonThe Basic Security Module (BSM) interface to audit records and audit event 314ca0716f5SRobert Watsonstream format were defined by Sun Microsystems. 315