1.\" Copyright (c) 2006, 2019 Robert N. M. Watson 2.\" All rights reserved. 3.\" 4.\" This software was developed in part by BAE Systems, the University of 5.\" Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL 6.\" contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent 7.\" Computing (TC) research program. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" $FreeBSD$ 31.\" 32.Dd April 28, 2019 33.Dt AUDIT 4 34.Os 35.Sh NAME 36.Nm audit 37.Nd Security Event Audit 38.Sh SYNOPSIS 39.Cd "options AUDIT" 40.Sh DESCRIPTION 41Security Event Audit is a facility to provide fine-grained, configurable 42logging of security-relevant events, and is intended to meet the requirements 43of the Common Criteria (CC) Common Access Protection Profile (CAPP) 44evaluation. 45The 46.Fx 47.Nm 48facility implements the de facto industry standard BSM API, file 49formats, and command line interface, first found in the Solaris operating 50system. 51Information on the user space implementation can be found in 52.Xr libbsm 3 . 53.Pp 54Audit support is enabled at boot, if present in the kernel, using an 55.Xr rc.conf 5 56flag. 57The audit daemon, 58.Xr auditd 8 , 59is responsible for configuring the kernel to perform 60.Nm , 61pushing 62configuration data from the various audit configuration files into the 63kernel. 64.Ss Audit Special Device 65The kernel 66.Nm 67facility provides a special device, 68.Pa /dev/audit , 69which is used by 70.Xr auditd 8 71to monitor for 72.Nm 73events, such as requests to cycle the log, low disk 74space conditions, and requests to terminate auditing. 75This device is not intended for use by applications. 76.Ss Audit Pipe Special Devices 77Audit pipe special devices, discussed in 78.Xr auditpipe 4 , 79provide a configurable live tracking mechanism to allow applications to 80tee the audit trail, as well as to configure custom preselection parameters 81to track users and events in a fine-grained manner. 82.Ss DTrace Audit Provider 83The DTrace Audit Provider, 84.Xr dtaudit 4 , 85allows D scripts to enable capture of in-kernel audit records for kernel audit 86event types, and then process their contents during audit commit or BSM 87generation. 88.Sh SEE ALSO 89.Xr auditreduce 1 , 90.Xr praudit 1 , 91.Xr audit 2 , 92.Xr auditctl 2 , 93.Xr auditon 2 , 94.Xr getaudit 2 , 95.Xr getauid 2 , 96.Xr poll 2 , 97.Xr select 2 , 98.Xr setaudit 2 , 99.Xr setauid 2 , 100.Xr libbsm 3 , 101.Xr auditpipe 4 , 102.Xr dtaudit 4 , 103.Xr audit.log 5 , 104.Xr audit_class 5 , 105.Xr audit_control 5 , 106.Xr audit_event 5 , 107.Xr audit_user 5 , 108.Xr audit_warn 5 , 109.Xr rc.conf 5 , 110.Xr audit 8 , 111.Xr auditd 8 , 112.Xr auditdistd 8 113.Sh HISTORY 114The 115.Tn OpenBSM 116implementation was created by McAfee Research, the security 117division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. 118It was subsequently adopted by the TrustedBSD Project as the foundation for 119the OpenBSM distribution. 120.Pp 121Support for kernel 122.Nm 123first appeared in 124.Fx 6.2 . 125.Sh AUTHORS 126.An -nosplit 127This software was created by McAfee Research, the security research division 128of McAfee, Inc., under contract to Apple Computer Inc. 129Additional authors include 130.An Wayne Salamon , 131.An Robert Watson , 132and SPARTA Inc. 133.Pp 134The Basic Security Module (BSM) interface to audit records and audit event 135stream format were defined by Sun Microsystems. 136.Pp 137This manual page was written by 138.An Robert Watson Aq Mt rwatson@FreeBSD.org . 139.Sh BUGS 140The 141.Fx 142kernel does not fully validate that audit records submitted by user 143applications are syntactically valid BSM; as submission of records is limited 144to privileged processes, this is not a critical bug. 145.Pp 146Instrumentation of auditable events in the kernel is not complete, as some 147system calls do not generate audit records, or generate audit records with 148incomplete argument information. 149.Pp 150Mandatory Access Control (MAC) labels, as provided by the 151.Xr mac 4 152facility, are not audited as part of records involving MAC decisions. 153.Pp 154Currently the 155.Nm 156syscalls are not supported for jailed processes. 157However, if a process has 158.Nm 159session state associated with it, audit records will still be produced and a zonename token 160containing the jail's ID or name will be present in the audit records. 161