xref: /freebsd/share/man/man4/audit.4 (revision 89614fc2ff07cbfe035a0c5d1820e8eb5c827c2d)
1.\" Copyright (c) 2006 Robert N. M. Watson
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
25.\" $FreeBSD$
26.\"
27.Dd May 31, 2009
28.Os
29.Dt AUDIT 4
30.Sh NAME
31.Nm audit
32.Nd Security Event Audit
33.Sh SYNOPSIS
34.Cd "options AUDIT"
35.Sh DESCRIPTION
36Security Event Audit is a facility to provide fine-grained, configurable
37logging of security-relevant events, and is intended to meet the requirements
38of the Common Criteria (CC) Common Access Protection Profile (CAPP)
39evaluation.
40The
41.Fx
42.Nm
43facility implements the de facto industry standard BSM API, file
44formats, and command line interface, first found in the Solaris operating
45system.
46Information on the user space implementation can be found in
47.Xr libbsm 3 .
48.Pp
49Audit support is enabled at boot, if present in the kernel, using an
50.Xr rc.conf 5
51flag.
52The audit daemon,
53.Xr auditd 8 ,
54is responsible for configuring the kernel to perform
55.Nm ,
56pushing
57configuration data from the various audit configuration files into the
58kernel.
59.Ss Audit Special Device
60The kernel
61.Nm
62facility provides a special device,
63.Pa /dev/audit ,
64which is used by
65.Xr auditd 8
66to monitor for
67.Nm
68events, such as requests to cycle the log, low disk
69space conditions, and requests to terminate auditing.
70This device is not intended for use by applications.
71.Ss Audit Pipe Special Devices
72Audit pipe special devices, discussed in
73.Xr auditpipe 4 ,
74provide a configurable live tracking mechanism to allow applications to
75tee the audit trail, as well as to configure custom preselection parameters
76to track users and events in a fine-grained manner.
77.Sh SEE ALSO
78.Xr auditreduce 1 ,
79.Xr praudit 1 ,
80.Xr audit 2 ,
81.Xr auditctl 2 ,
82.Xr auditon 2 ,
83.Xr getaudit 2 ,
84.Xr getauid 2 ,
85.Xr poll 2 ,
86.Xr select 2 ,
87.Xr setaudit 2 ,
88.Xr setauid 2 ,
89.Xr libbsm 3 ,
90.Xr auditpipe 4 ,
91.Xr audit_class 5 ,
92.Xr audit_control 5 ,
93.Xr audit_event 5 ,
94.Xr audit.log 5 ,
95.Xr audit_user 5 ,
96.Xr audit_warn 5 ,
97.Xr rc.conf 5 ,
98.Xr audit 8 ,
99.Xr auditd 8
100.Sh HISTORY
101The
102.Tn OpenBSM
103implementation was created by McAfee Research, the security
104division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
105It was subsequently adopted by the TrustedBSD Project as the foundation for
106the OpenBSM distribution.
107.Pp
108Support for kernel
109.Nm
110first appeared in
111.Fx 6.2 .
112.Sh AUTHORS
113.An -nosplit
114This software was created by McAfee Research, the security research division
115of McAfee, Inc., under contract to Apple Computer Inc.
116Additional authors include
117.An Wayne Salamon ,
118.An Robert Watson ,
119and SPARTA Inc.
120.Pp
121The Basic Security Module (BSM) interface to audit records and audit event
122stream format were defined by Sun Microsystems.
123.Pp
124This manual page was written by
125.An Robert Watson Aq rwatson@FreeBSD.org .
126.Sh BUGS
127The
128.Fx
129kernel does not fully validate that audit records submitted by user
130applications are syntactically valid BSM; as submission of records is limited
131to privileged processes, this is not a critical bug.
132.Pp
133Instrumentation of auditable events in the kernel is not complete, as some
134system calls do not generate audit records, or generate audit records with
135incomplete argument information.
136.Pp
137Mandatory Access Control (MAC) labels, as provided by the
138.Xr mac 4
139facility, are not audited as part of records involving MAC decisions.
140