152267f74SRobert Watson.\" Copyright (c) 2004 Apple Inc. 2ca0716f5SRobert Watson.\" All rights reserved. 3ca0716f5SRobert Watson.\" 4ca0716f5SRobert Watson.\" Redistribution and use in source and binary forms, with or without 5ca0716f5SRobert Watson.\" modification, are permitted provided that the following conditions 6ca0716f5SRobert Watson.\" are met: 7ca0716f5SRobert Watson.\" 1. Redistributions of source code must retain the above copyright 8ca0716f5SRobert Watson.\" notice, this list of conditions and the following disclaimer. 9ca0716f5SRobert Watson.\" 2. Redistributions in binary form must reproduce the above copyright 10ca0716f5SRobert Watson.\" notice, this list of conditions and the following disclaimer in the 11ca0716f5SRobert Watson.\" documentation and/or other materials provided with the distribution. 1252267f74SRobert Watson.\" 3. Neither the name of Apple Inc. ("Apple") nor the names of 13ca0716f5SRobert Watson.\" its contributors may be used to endorse or promote products derived 14ca0716f5SRobert Watson.\" from this software without specific prior written permission. 15ca0716f5SRobert Watson.\" 16ca0716f5SRobert Watson.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 17ca0716f5SRobert Watson.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18ca0716f5SRobert Watson.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19ca0716f5SRobert Watson.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 20ca0716f5SRobert Watson.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21ca0716f5SRobert Watson.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22ca0716f5SRobert Watson.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23ca0716f5SRobert Watson.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 24ca0716f5SRobert Watson.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 25ca0716f5SRobert Watson.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26ca0716f5SRobert Watson.\" POSSIBILITY OF SUCH DAMAGE. 27ca0716f5SRobert Watson.\" 2852267f74SRobert Watson.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#13 $ 29ca0716f5SRobert Watson.\" 3023bf6e20SRobert Watson.Dd February 5, 2006 31ca0716f5SRobert Watson.Dt AUDIT_USER 5 32ca0716f5SRobert Watson.Os 33ca0716f5SRobert Watson.Sh NAME 34ca0716f5SRobert Watson.Nm audit_user 35bc168a6cSRobert Watson.Nd "events to be audited for given users" 36ca0716f5SRobert Watson.Sh DESCRIPTION 37ca0716f5SRobert WatsonThe 38ca0716f5SRobert Watson.Nm 39ca0716f5SRobert Watsonfile specifies which audit event classes are to be audited for the given users. 40ca0716f5SRobert WatsonIf specified, these flags are combined with the system-wide audit flags in the 41bc168a6cSRobert Watson.Xr audit_control 5 42ca0716f5SRobert Watsonfile to determine which classes of events to audit for that user. 43ca0716f5SRobert WatsonThese settings take effect when the user logs in. 44ca0716f5SRobert Watson.Pp 45ca0716f5SRobert WatsonEach line maps a user name to a list of classes that should be audited and a 46ca0716f5SRobert Watsonlist of classes that should not be audited. 4723bf6e20SRobert WatsonEntries are of the form: 4823bf6e20SRobert Watson.Pp 49bc168a6cSRobert Watson.D1 Ar username Ns : Ns Ar alwaysaudit Ns : Ns Ar neveraudit 5023bf6e20SRobert Watson.Pp 5123bf6e20SRobert WatsonIn the format above, 52bc168a6cSRobert Watson.Ar alwaysaudit 53ca0716f5SRobert Watsonis a set of event classes that are always audited, and 54bc168a6cSRobert Watson.Ar neveraudit 55ca0716f5SRobert Watsonis a set of event classes that should not be audited. 56ca0716f5SRobert WatsonThese sets can indicate 57ca0716f5SRobert Watsonthe inclusion or exclusion of multiple classes, and whether to audit successful 58ca0716f5SRobert Watsonor failed events. 59ca0716f5SRobert WatsonSee 60ca0716f5SRobert Watson.Xr audit_control 5 61ca0716f5SRobert Watsonfor more information about audit flags. 62ca0716f5SRobert Watson.Pp 63ca0716f5SRobert WatsonExample entries in this file are: 64ca0716f5SRobert Watson.Bd -literal -offset indent 65ca0716f5SRobert Watsonroot:lo,ad:no 66ca0716f5SRobert Watsonjdoe:-fc,ad:+fw 67ca0716f5SRobert Watson.Ed 68ca0716f5SRobert Watson.Pp 6923bf6e20SRobert WatsonThese settings would cause login/logout and administrative events that 70bc168a6cSRobert Watsonsucceed on behalf of user 71bc168a6cSRobert Watson.Dq Li root 72bc168a6cSRobert Watsonto be audited. 73ca0716f5SRobert WatsonNo failure events are audited. 74ca0716f5SRobert WatsonFor the user 75bc168a6cSRobert Watson.Dq Li jdoe , 76ca0716f5SRobert Watsonfailed file creation events are audited, administrative events are 77ca0716f5SRobert Watsonaudited, and successful file write events are never audited. 78bc168a6cSRobert Watson.Sh IMPLEMENTATION NOTES 79bc168a6cSRobert WatsonPer-user and global audit preselection configuration are evaluated at time of 80bc168a6cSRobert Watsonlogin, so users must log out and back in again for audit changes relating to 81bc168a6cSRobert Watsonpreselection to take effect. 82bc168a6cSRobert Watson.Pp 83bc168a6cSRobert WatsonAudit record preselection occurs with respect to the audit identifier 84bc168a6cSRobert Watsonassociated with a process, rather than with respect to the UNIX user or group 85bc168a6cSRobert WatsonID. 86bc168a6cSRobert WatsonThe audit identifier is set as part of the user credential context as part of 87bc168a6cSRobert Watsonlogin, and typically does not change as a result of running setuid or setgid 88bc168a6cSRobert Watsonapplications, such as 89bc168a6cSRobert Watson.Xr su 1 . 90bc168a6cSRobert WatsonThis has the advantage that events that occur after running 91bc168a6cSRobert Watson.Xr su 1 92bc168a6cSRobert Watsoncan be audited to the original authenticated user, as required by CAPP, but 93bc168a6cSRobert Watsonmay be surprising if not expected. 94ca0716f5SRobert Watson.Sh FILES 95bc168a6cSRobert Watson.Bl -tag -width ".Pa /etc/security/audit_user" -compact 96ca0716f5SRobert Watson.It Pa /etc/security/audit_user 97ca0716f5SRobert Watson.El 98ca0716f5SRobert Watson.Sh SEE ALSO 99bc168a6cSRobert Watson.Xr login 1 , 100bc168a6cSRobert Watson.Xr su 1 , 101bc168a6cSRobert Watson.Xr audit 4 , 102bc168a6cSRobert Watson.Xr audit_class 5 , 103bc168a6cSRobert Watson.Xr audit_control 5 , 104bc168a6cSRobert Watson.Xr audit_event 5 105bc168a6cSRobert Watson.Sh HISTORY 106bc168a6cSRobert WatsonThe OpenBSM implementation was created by McAfee Research, the security 107bc168a6cSRobert Watsondivision of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. 108bc168a6cSRobert WatsonIt was subsequently adopted by the TrustedBSD Project as the foundation for 109bc168a6cSRobert Watsonthe OpenBSM distribution. 110ca0716f5SRobert Watson.Sh AUTHORS 111bc168a6cSRobert Watson.An -nosplit 112ca0716f5SRobert WatsonThis software was created by McAfee Research, the security research division 113ca0716f5SRobert Watsonof McAfee, Inc., under contract to Apple Computer Inc. 114bc168a6cSRobert WatsonAdditional authors include 115bc168a6cSRobert Watson.An Wayne Salamon , 116bc168a6cSRobert Watson.An Robert Watson , 117bc168a6cSRobert Watsonand SPARTA Inc. 118ca0716f5SRobert Watson.Pp 119ca0716f5SRobert WatsonThe Basic Security Module (BSM) interface to audit records and audit event 120ca0716f5SRobert Watsonstream format were defined by Sun Microsystems. 121