1ca0716f5SRobert Watson.\" Copyright (c) 2004 Apple Computer, Inc. 2ca0716f5SRobert Watson.\" All rights reserved. 3ca0716f5SRobert Watson.\" 4ca0716f5SRobert Watson.\" Redistribution and use in source and binary forms, with or without 5ca0716f5SRobert Watson.\" modification, are permitted provided that the following conditions 6ca0716f5SRobert Watson.\" are met: 7ca0716f5SRobert Watson.\" 1. Redistributions of source code must retain the above copyright 8ca0716f5SRobert Watson.\" notice, this list of conditions and the following disclaimer. 9ca0716f5SRobert Watson.\" 2. Redistributions in binary form must reproduce the above copyright 10ca0716f5SRobert Watson.\" notice, this list of conditions and the following disclaimer in the 11ca0716f5SRobert Watson.\" documentation and/or other materials provided with the distribution. 12ca0716f5SRobert Watson.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 13ca0716f5SRobert Watson.\" its contributors may be used to endorse or promote products derived 14ca0716f5SRobert Watson.\" from this software without specific prior written permission. 15ca0716f5SRobert Watson.\" 16ca0716f5SRobert Watson.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 17ca0716f5SRobert Watson.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18ca0716f5SRobert Watson.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19ca0716f5SRobert Watson.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 20ca0716f5SRobert Watson.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21ca0716f5SRobert Watson.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22ca0716f5SRobert Watson.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23ca0716f5SRobert Watson.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 24ca0716f5SRobert Watson.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 25ca0716f5SRobert Watson.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26ca0716f5SRobert Watson.\" POSSIBILITY OF SUCH DAMAGE. 27ca0716f5SRobert Watson.\" 28ca0716f5SRobert Watson.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#5 $ 29ca0716f5SRobert Watson.\" 30ca0716f5SRobert Watson.Dd Jan 24, 2004 31ca0716f5SRobert Watson.Dt AUDIT_CONTROL 5 32ca0716f5SRobert Watson.Os 33ca0716f5SRobert Watson.Sh NAME 34ca0716f5SRobert Watson.Nm audit_control 35ca0716f5SRobert Watson.Nd "contains audit system parameters" 36ca0716f5SRobert Watson.Sh DESCRIPTION 37ca0716f5SRobert WatsonThe 38ca0716f5SRobert Watson.Nm 39ca0716f5SRobert Watsonfile contains several audit system parameters. 40ca0716f5SRobert WatsonEach line of this file is of the form: 41ca0716f5SRobert Watson.Dl parameter:value. 42ca0716f5SRobert WatsonThe parameters are: 43ca0716f5SRobert Watson.Bl -tag -width Ds 44ca0716f5SRobert Watson.It Pa dir 45ca0716f5SRobert WatsonThe directory where audit log files are stored. 46ca0716f5SRobert WatsonThere may be more than one of these entries. 47ca0716f5SRobert WatsonChanges to this entry can only be enacted by restarting the 48ca0716f5SRobert Watsonaudit system. 49ca0716f5SRobert WatsonSee 50ca0716f5SRobert Watson.Xr audit 1 51ca0716f5SRobert Watsonfor a description of how to restart the audit system. 52ca0716f5SRobert Watson.It Va flags 53ca0716f5SRobert WatsonSpecifies which audit event classes are audited for all users. 54ca0716f5SRobert Watson.Xr audit_user 5 55ca0716f5SRobert Watsondescribes how to audit events for individual users. 56ca0716f5SRobert WatsonSee the information below for the format of the audit flags. 57ca0716f5SRobert Watson.It Va naflags 58ca0716f5SRobert WatsonContains the audit flags that define what classes of events are audited when 59ca0716f5SRobert Watsonan action cannot be attributed to a specific user. 60ca0716f5SRobert Watson.It Va minfree 61ca0716f5SRobert WatsonThe minimum free space required on the file system audit logs are being written to. 62ca0716f5SRobert WatsonWhen the free space falls below this limit a warning will be issued. 63ca0716f5SRobert WatsonNot currently used as the value of 20 percent is chosen by the kernel. 64ca0716f5SRobert Watson.El 65ca0716f5SRobert Watson.Sh AUDIT FLAGS 66ca0716f5SRobert WatsonAudit flags are a comma delimited list of audit classes as defined in the 67ca0716f5SRobert Watsonaudit_class file. 68ca0716f5SRobert WatsonSee 69ca0716f5SRobert Watson.Xr audit_class 5 70ca0716f5SRobert Watsonfor details. 71ca0716f5SRobert WatsonEvent classes may be preceded by a prefix which changes their interpretation. 72ca0716f5SRobert WatsonThe following prefixes may be used for each class: 73ca0716f5SRobert Watson.Bl -tag -width Ds -compact -offset indent 74ca0716f5SRobert Watson.It + 75ca0716f5SRobert WatsonRecord successful events 76ca0716f5SRobert Watson.It - 77ca0716f5SRobert WatsonRecord failed events 78ca0716f5SRobert Watson.It ^ 79ca0716f5SRobert WatsonRecord both successful and failed events 80ca0716f5SRobert Watson.It ^+ 81ca0716f5SRobert WatsonDon't record successful events 82ca0716f5SRobert Watson.It ^- 83ca0716f5SRobert WatsonDon't record failed events 84ca0716f5SRobert Watson.El 85ca0716f5SRobert Watson.Sh DEFAULT 86ca0716f5SRobert WatsonThe following settings appear in the default 87ca0716f5SRobert Watson.Nm 88ca0716f5SRobert Watsonfile: 89ca0716f5SRobert Watson.Bd -literal -offset indent 90ca0716f5SRobert Watsondir:/var/audit 91ca0716f5SRobert Watsonflags:lo,ad,-all,^-fc,^-cl 92ca0716f5SRobert Watsonminfree:20 93ca0716f5SRobert Watsonnaflags:lo 94ca0716f5SRobert Watson.Ed 95ca0716f5SRobert Watson.Pp 96ca0716f5SRobert WatsonThe 97ca0716f5SRobert Watson.Va flags 98ca0716f5SRobert Watsonparameter above specifies the system-wide mask corresponding to login/logout 99ca0716f5SRobert Watsonevents, administrative events, and all failures except for failures in creating 100ca0716f5SRobert Watsonor closing files. 101ca0716f5SRobert Watson.Sh FILES 102ca0716f5SRobert Watson.Bl -tag -width "/etc/security/audit_control" -compact 103ca0716f5SRobert Watson.It Pa /etc/security/audit_control 104ca0716f5SRobert Watson.El 105ca0716f5SRobert Watson.Sh SEE ALSO 106ca0716f5SRobert Watson.Xr audit 1 , 107ca0716f5SRobert Watson.Xr auditd 8 , 108ca0716f5SRobert Watson.Xr audit_class 5 , 109ca0716f5SRobert Watson.Xr audit_user 5 110ca0716f5SRobert Watson.Sh AUTHORS 111ca0716f5SRobert WatsonThis software was created by McAfee Research, the security research division 112ca0716f5SRobert Watsonof McAfee, Inc., under contract to Apple Computer Inc. 113ca0716f5SRobert WatsonAdditional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. 114ca0716f5SRobert Watson.Pp 115ca0716f5SRobert WatsonThe Basic Security Module (BSM) interface to audit records and audit event 116ca0716f5SRobert Watsonstream format were defined by Sun Microsystems. 117ca0716f5SRobert Watson.Sh HISTORY 118ca0716f5SRobert WatsonThe OpenBSM implementation was created by McAfee Research, the security 119ca0716f5SRobert Watsondivision of McAfee Inc., under contract to Apple Computer Inc. in 2004. 120ca0716f5SRobert WatsonIt was subsequently adopted by the TrustedBSD Project as the foundation for 121ca0716f5SRobert Watsonthe OpenBSM distribution. 122