1.\" Copyright (c) 2004 Apple Computer, Inc. 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 13.\" its contributors may be used to endorse or promote products derived 14.\" from this software without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 20.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 24.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 25.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26.\" POSSIBILITY OF SUCH DAMAGE. 27.\" 28.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#5 $ 29.\" 30.Dd Jan 24, 2004 31.Dt AUDIT_CONTROL 5 32.Os 33.Sh NAME 34.Nm audit_control 35.Nd "contains audit system parameters" 36.Sh DESCRIPTION 37The 38.Nm 39file contains several audit system parameters. 40Each line of this file is of the form: 41.Dl parameter:value. 42The parameters are: 43.Bl -tag -width Ds 44.It Pa dir 45The directory where audit log files are stored. 46There may be more than one of these entries. 47Changes to this entry can only be enacted by restarting the 48audit system. 49See 50.Xr audit 1 51for a description of how to restart the audit system. 52.It Va flags 53Specifies which audit event classes are audited for all users. 54.Xr audit_user 5 55describes how to audit events for individual users. 56See the information below for the format of the audit flags. 57.It Va naflags 58Contains the audit flags that define what classes of events are audited when 59an action cannot be attributed to a specific user. 60.It Va minfree 61The minimum free space required on the file system audit logs are being written to. 62When the free space falls below this limit a warning will be issued. 63Not currently used as the value of 20 percent is chosen by the kernel. 64.El 65.Sh AUDIT FLAGS 66Audit flags are a comma delimited list of audit classes as defined in the 67audit_class file. 68See 69.Xr audit_class 5 70for details. 71Event classes may be preceded by a prefix which changes their interpretation. 72The following prefixes may be used for each class: 73.Bl -tag -width Ds -compact -offset indent 74.It + 75Record successful events 76.It - 77Record failed events 78.It ^ 79Record both successful and failed events 80.It ^+ 81Don't record successful events 82.It ^- 83Don't record failed events 84.El 85.Sh DEFAULT 86The following settings appear in the default 87.Nm 88file: 89.Bd -literal -offset indent 90dir:/var/audit 91flags:lo,ad,-all,^-fc,^-cl 92minfree:20 93naflags:lo 94.Ed 95.Pp 96The 97.Va flags 98parameter above specifies the system-wide mask corresponding to login/logout 99events, administrative events, and all failures except for failures in creating 100or closing files. 101.Sh FILES 102.Bl -tag -width "/etc/security/audit_control" -compact 103.It Pa /etc/security/audit_control 104.El 105.Sh SEE ALSO 106.Xr audit 1 , 107.Xr auditd 8 , 108.Xr audit_class 5 , 109.Xr audit_user 5 110.Sh AUTHORS 111This software was created by McAfee Research, the security research division 112of McAfee, Inc., under contract to Apple Computer Inc. 113Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. 114.Pp 115The Basic Security Module (BSM) interface to audit records and audit event 116stream format were defined by Sun Microsystems. 117.Sh HISTORY 118The OpenBSM implementation was created by McAfee Research, the security 119division of McAfee Inc., under contract to Apple Computer Inc. in 2004. 120It was subsequently adopted by the TrustedBSD Project as the foundation for 121the OpenBSM distribution. 122