1ca0716f5SRobert Watson.\" Copyright (c) 2004 Apple Computer, Inc. 2ca0716f5SRobert Watson.\" All rights reserved. 3ca0716f5SRobert Watson.\" 4ca0716f5SRobert Watson.\" Redistribution and use in source and binary forms, with or without 5ca0716f5SRobert Watson.\" modification, are permitted provided that the following conditions 6ca0716f5SRobert Watson.\" are met: 7ca0716f5SRobert Watson.\" 1. Redistributions of source code must retain the above copyright 8ca0716f5SRobert Watson.\" notice, this list of conditions and the following disclaimer. 9ca0716f5SRobert Watson.\" 2. Redistributions in binary form must reproduce the above copyright 10ca0716f5SRobert Watson.\" notice, this list of conditions and the following disclaimer in the 11ca0716f5SRobert Watson.\" documentation and/or other materials provided with the distribution. 12ca0716f5SRobert Watson.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 13ca0716f5SRobert Watson.\" its contributors may be used to endorse or promote products derived 14ca0716f5SRobert Watson.\" from this software without specific prior written permission. 15ca0716f5SRobert Watson.\" 16ca0716f5SRobert Watson.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 17ca0716f5SRobert Watson.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18ca0716f5SRobert Watson.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19ca0716f5SRobert Watson.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 20ca0716f5SRobert Watson.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21ca0716f5SRobert Watson.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22ca0716f5SRobert Watson.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23ca0716f5SRobert Watson.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 24ca0716f5SRobert Watson.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 25ca0716f5SRobert Watson.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26ca0716f5SRobert Watson.\" POSSIBILITY OF SUCH DAMAGE. 27ca0716f5SRobert Watson.\" 2823bf6e20SRobert Watson.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#7 $ 29ca0716f5SRobert Watson.\" 3023bf6e20SRobert Watson.Dd February 5, 2006 31ca0716f5SRobert Watson.Dt AUDIT_USER 5 32ca0716f5SRobert Watson.Os 33ca0716f5SRobert Watson.Sh NAME 34ca0716f5SRobert Watson.Nm audit_user 35ca0716f5SRobert Watson.Nd "specifies events to be audited for the given users" 36ca0716f5SRobert Watson.Sh DESCRIPTION 37ca0716f5SRobert WatsonThe 38ca0716f5SRobert Watson.Nm 39ca0716f5SRobert Watsonfile specifies which audit event classes are to be audited for the given users. 40ca0716f5SRobert WatsonIf specified, these flags are combined with the system-wide audit flags in the 41ca0716f5SRobert Watson.Pa audit_control 42ca0716f5SRobert Watsonfile to determine which classes of events to audit for that user. 43ca0716f5SRobert WatsonThese settings take effect when the user logs in. 44ca0716f5SRobert Watson.Pp 45ca0716f5SRobert WatsonEach line maps a user name to a list of classes that should be audited and a 46ca0716f5SRobert Watsonlist of classes that should not be audited. 4723bf6e20SRobert WatsonEntries are of the form: 4823bf6e20SRobert Watson.Pp 4923bf6e20SRobert Watson.Dl username:alwaysaudit:neveraudit 5023bf6e20SRobert Watson.Pp 5123bf6e20SRobert WatsonIn the format above, 52ca0716f5SRobert Watson.Vt alwaysaudit 53ca0716f5SRobert Watsonis a set of event classes that are always audited, and 54ca0716f5SRobert Watson.Vt neveraudit 55ca0716f5SRobert Watsonis a set of event classes that should not be audited. 56ca0716f5SRobert WatsonThese sets can indicate 57ca0716f5SRobert Watsonthe inclusion or exclusion of multiple classes, and whether to audit successful 58ca0716f5SRobert Watsonor failed events. 59ca0716f5SRobert WatsonSee 60ca0716f5SRobert Watson.Xr audit_control 5 61ca0716f5SRobert Watsonfor more information about audit flags. 62ca0716f5SRobert Watson.Pp 63ca0716f5SRobert WatsonExample entries in this file are: 64ca0716f5SRobert Watson.Bd -literal -offset indent 65ca0716f5SRobert Watsonroot:lo,ad:no 66ca0716f5SRobert Watsonjdoe:-fc,ad:+fw 67ca0716f5SRobert Watson.Ed 68ca0716f5SRobert Watson.Pp 6923bf6e20SRobert WatsonThese settings would cause login/logout and administrative events that 7023bf6e20SRobert Watsonsucceed on behalf of user root to be audited. 71ca0716f5SRobert WatsonNo failure events are audited. 72ca0716f5SRobert WatsonFor the user 73ca0716f5SRobert Watson.Em jdoe , 74ca0716f5SRobert Watsonfailed file creation events are audited, administrative events are 75ca0716f5SRobert Watsonaudited, and successful file write events are never audited. 76ca0716f5SRobert Watson.Sh FILES 77ca0716f5SRobert Watson.Bl -tag -width "/etc/security/audit_user" -compact 78ca0716f5SRobert Watson.It Pa /etc/security/audit_user 79ca0716f5SRobert Watson.El 80ca0716f5SRobert Watson.Sh SEE ALSO 81ca0716f5SRobert Watson.Xr audit_control 5 82ca0716f5SRobert Watson.Sh AUTHORS 83ca0716f5SRobert WatsonThis software was created by McAfee Research, the security research division 84ca0716f5SRobert Watsonof McAfee, Inc., under contract to Apple Computer Inc. 85ca0716f5SRobert WatsonAdditional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. 86ca0716f5SRobert Watson.Pp 87ca0716f5SRobert WatsonThe Basic Security Module (BSM) interface to audit records and audit event 88ca0716f5SRobert Watsonstream format were defined by Sun Microsystems. 89ca0716f5SRobert Watson.Sh HISTORY 90ca0716f5SRobert WatsonThe OpenBSM implementation was created by McAfee Research, the security 91ca0716f5SRobert Watsondivision of McAfee Inc., under contract to Apple Computer Inc. in 2004. 92ca0716f5SRobert WatsonIt was subsequently adopted by the TrustedBSD Project as the foundation for 93ca0716f5SRobert Watsonthe OpenBSM distribution. 94