xref: /freebsd/share/man/man4/audit.4 (revision cddbc3b40812213ff00041f79174cac0be360a2a)
1.\" Copyright (c) 2006 Robert N. M. Watson
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
25.\" $FreeBSD$
26.\"
27.Dd May 31, 2009
28.Dt AUDIT 4
29.Os
30.Sh NAME
31.Nm audit
32.Nd Security Event Audit
33.Sh SYNOPSIS
34.Cd "options AUDIT"
35.Sh DESCRIPTION
36Security Event Audit is a facility to provide fine-grained, configurable
37logging of security-relevant events, and is intended to meet the requirements
38of the Common Criteria (CC) Common Access Protection Profile (CAPP)
39evaluation.
40The
41.Fx
42.Nm
43facility implements the de facto industry standard BSM API, file
44formats, and command line interface, first found in the Solaris operating
45system.
46Information on the user space implementation can be found in
47.Xr libbsm 3 .
48.Pp
49Audit support is enabled at boot, if present in the kernel, using an
50.Xr rc.conf 5
51flag.
52The audit daemon,
53.Xr auditd 8 ,
54is responsible for configuring the kernel to perform
55.Nm ,
56pushing
57configuration data from the various audit configuration files into the
58kernel.
59.Ss Audit Special Device
60The kernel
61.Nm
62facility provides a special device,
63.Pa /dev/audit ,
64which is used by
65.Xr auditd 8
66to monitor for
67.Nm
68events, such as requests to cycle the log, low disk
69space conditions, and requests to terminate auditing.
70This device is not intended for use by applications.
71.Ss Audit Pipe Special Devices
72Audit pipe special devices, discussed in
73.Xr auditpipe 4 ,
74provide a configurable live tracking mechanism to allow applications to
75tee the audit trail, as well as to configure custom preselection parameters
76to track users and events in a fine-grained manner.
77.Sh SEE ALSO
78.Xr auditreduce 1 ,
79.Xr praudit 1 ,
80.Xr audit 2 ,
81.Xr auditctl 2 ,
82.Xr auditon 2 ,
83.Xr getaudit 2 ,
84.Xr getauid 2 ,
85.Xr poll 2 ,
86.Xr select 2 ,
87.Xr setaudit 2 ,
88.Xr setauid 2 ,
89.Xr libbsm 3 ,
90.Xr auditpipe 4 ,
91.Xr audit.log 5 ,
92.Xr audit_class 5 ,
93.Xr audit_control 5 ,
94.Xr audit_event 5 ,
95.Xr audit_user 5 ,
96.Xr audit_warn 5 ,
97.Xr rc.conf 5 ,
98.Xr audit 8 ,
99.Xr auditd 8 ,
100.Xr auditdistd 8
101.Sh HISTORY
102The
103.Tn OpenBSM
104implementation was created by McAfee Research, the security
105division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
106It was subsequently adopted by the TrustedBSD Project as the foundation for
107the OpenBSM distribution.
108.Pp
109Support for kernel
110.Nm
111first appeared in
112.Fx 6.2 .
113.Sh AUTHORS
114.An -nosplit
115This software was created by McAfee Research, the security research division
116of McAfee, Inc., under contract to Apple Computer Inc.
117Additional authors include
118.An Wayne Salamon ,
119.An Robert Watson ,
120and SPARTA Inc.
121.Pp
122The Basic Security Module (BSM) interface to audit records and audit event
123stream format were defined by Sun Microsystems.
124.Pp
125This manual page was written by
126.An Robert Watson Aq Mt rwatson@FreeBSD.org .
127.Sh BUGS
128The
129.Fx
130kernel does not fully validate that audit records submitted by user
131applications are syntactically valid BSM; as submission of records is limited
132to privileged processes, this is not a critical bug.
133.Pp
134Instrumentation of auditable events in the kernel is not complete, as some
135system calls do not generate audit records, or generate audit records with
136incomplete argument information.
137.Pp
138Mandatory Access Control (MAC) labels, as provided by the
139.Xr mac 4
140facility, are not audited as part of records involving MAC decisions.
141.Pp
142Currently the
143.Nm
144syscalls are not supported for jailed processes.
145However, if a process has
146.Nm
147session state associated with it, audit records will still be produced and a zonename token
148containing the jail's ID or name will be present in the audit records.
149