xref: /freebsd/contrib/openbsm/man/audit_user.5 (revision 23bf6e2091d6f4eea4818bb19a867eb620f04d13)
1ca0716f5SRobert Watson.\" Copyright (c) 2004 Apple Computer, Inc.
2ca0716f5SRobert Watson.\" All rights reserved.
3ca0716f5SRobert Watson.\"
4ca0716f5SRobert Watson.\" Redistribution and use in source and binary forms, with or without
5ca0716f5SRobert Watson.\" modification, are permitted provided that the following conditions
6ca0716f5SRobert Watson.\" are met:
7ca0716f5SRobert Watson.\" 1.  Redistributions of source code must retain the above copyright
8ca0716f5SRobert Watson.\"     notice, this list of conditions and the following disclaimer.
9ca0716f5SRobert Watson.\" 2.  Redistributions in binary form must reproduce the above copyright
10ca0716f5SRobert Watson.\"     notice, this list of conditions and the following disclaimer in the
11ca0716f5SRobert Watson.\"     documentation and/or other materials provided with the distribution.
12ca0716f5SRobert Watson.\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
13ca0716f5SRobert Watson.\"     its contributors may be used to endorse or promote products derived
14ca0716f5SRobert Watson.\"     from this software without specific prior written permission.
15ca0716f5SRobert Watson.\"
16ca0716f5SRobert Watson.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
17ca0716f5SRobert Watson.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18ca0716f5SRobert Watson.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19ca0716f5SRobert Watson.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
20ca0716f5SRobert Watson.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21ca0716f5SRobert Watson.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22ca0716f5SRobert Watson.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23ca0716f5SRobert Watson.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
24ca0716f5SRobert Watson.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
25ca0716f5SRobert Watson.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26ca0716f5SRobert Watson.\" POSSIBILITY OF SUCH DAMAGE.
27ca0716f5SRobert Watson.\"
2823bf6e20SRobert Watson.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#7 $
29ca0716f5SRobert Watson.\"
3023bf6e20SRobert Watson.Dd February 5, 2006
31ca0716f5SRobert Watson.Dt AUDIT_USER 5
32ca0716f5SRobert Watson.Os
33ca0716f5SRobert Watson.Sh NAME
34ca0716f5SRobert Watson.Nm audit_user
35ca0716f5SRobert Watson.Nd "specifies events to be audited for the given users"
36ca0716f5SRobert Watson.Sh DESCRIPTION
37ca0716f5SRobert WatsonThe
38ca0716f5SRobert Watson.Nm
39ca0716f5SRobert Watsonfile specifies which audit event classes are to be audited for the given users.
40ca0716f5SRobert WatsonIf specified, these flags are combined with the system-wide audit flags in the
41ca0716f5SRobert Watson.Pa audit_control
42ca0716f5SRobert Watsonfile to determine which classes of events to audit for that user.
43ca0716f5SRobert WatsonThese settings take effect when the user logs in.
44ca0716f5SRobert Watson.Pp
45ca0716f5SRobert WatsonEach line maps a user name to a list of classes that should be audited and a
46ca0716f5SRobert Watsonlist of classes that should not be audited.
4723bf6e20SRobert WatsonEntries are of the form:
4823bf6e20SRobert Watson.Pp
4923bf6e20SRobert Watson.Dl username:alwaysaudit:neveraudit
5023bf6e20SRobert Watson.Pp
5123bf6e20SRobert WatsonIn the format above,
52ca0716f5SRobert Watson.Vt alwaysaudit
53ca0716f5SRobert Watsonis a set of event classes that are always audited, and
54ca0716f5SRobert Watson.Vt neveraudit
55ca0716f5SRobert Watsonis a set of event classes that should not be audited.
56ca0716f5SRobert WatsonThese sets can indicate
57ca0716f5SRobert Watsonthe inclusion or exclusion of multiple classes, and whether to audit successful
58ca0716f5SRobert Watsonor failed events.
59ca0716f5SRobert WatsonSee
60ca0716f5SRobert Watson.Xr audit_control 5
61ca0716f5SRobert Watsonfor more information about audit flags.
62ca0716f5SRobert Watson.Pp
63ca0716f5SRobert WatsonExample entries in this file are:
64ca0716f5SRobert Watson.Bd -literal -offset indent
65ca0716f5SRobert Watsonroot:lo,ad:no
66ca0716f5SRobert Watsonjdoe:-fc,ad:+fw
67ca0716f5SRobert Watson.Ed
68ca0716f5SRobert Watson.Pp
6923bf6e20SRobert WatsonThese settings would cause login/logout and administrative events that
7023bf6e20SRobert Watsonsucceed on behalf of user root to be audited.
71ca0716f5SRobert WatsonNo failure events are audited.
72ca0716f5SRobert WatsonFor the user
73ca0716f5SRobert Watson.Em jdoe ,
74ca0716f5SRobert Watsonfailed file creation events are audited, administrative events are
75ca0716f5SRobert Watsonaudited, and successful file write events are never audited.
76ca0716f5SRobert Watson.Sh FILES
77ca0716f5SRobert Watson.Bl -tag -width "/etc/security/audit_user" -compact
78ca0716f5SRobert Watson.It Pa /etc/security/audit_user
79ca0716f5SRobert Watson.El
80ca0716f5SRobert Watson.Sh SEE ALSO
81ca0716f5SRobert Watson.Xr audit_control 5
82ca0716f5SRobert Watson.Sh AUTHORS
83ca0716f5SRobert WatsonThis software was created by McAfee Research, the security research division
84ca0716f5SRobert Watsonof McAfee, Inc., under contract to Apple Computer Inc.
85ca0716f5SRobert WatsonAdditional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
86ca0716f5SRobert Watson.Pp
87ca0716f5SRobert WatsonThe Basic Security Module (BSM) interface to audit records and audit event
88ca0716f5SRobert Watsonstream format were defined by Sun Microsystems.
89ca0716f5SRobert Watson.Sh HISTORY
90ca0716f5SRobert WatsonThe OpenBSM implementation was created by McAfee Research, the security
91ca0716f5SRobert Watsondivision of McAfee Inc., under contract to Apple Computer Inc. in 2004.
92ca0716f5SRobert WatsonIt was subsequently adopted by the TrustedBSD Project as the foundation for
93ca0716f5SRobert Watsonthe OpenBSM distribution.
94