Sun Microsystems, Inc.
spacerspacer
spacer   www.sun.com docs.sun.com | | |  
spacer
black dot
   
A   B   C   D   E   F   G   H   I   J   K   L   M   N   O   P   Q   R   S   T   U   V   W   X   Y   Z
    
 
File Formatsaudit_control(4)


NAME

 audit_control - control information for system audit daemon

SYNOPSIS

 
/etc/security/audit_control

DESCRIPTION

 

The audit_control file contains audit control information used by auditd(1M). Each line consists of a title and a string, separated by a colon. There are no restrictions on the order of lines in the file, although some lines must appear only once. A line beginning with `#' is a comment.

Directory definition lines list the directories to be used when creating audit files, in the order in which they are to be used. The format of a directory line is:

dir:directory-name

directory-name is where the audit files will be created. Any valid writable directory can be specified.

The following configuration is recommended:

/etc/security/audit/server/files

where server is the name of a central machine, since audit files belonging to different servers are usually stored in separate subdirectories of a single audit directory. The naming convention normally has server be a directory on a server machine, and all clients mount /etc/security/audit/server at the same location in their local file systems. If the same server exports several different file systems for auditing, their server names will, of course, be different.

There are several other ways for audit data to be arranged: some sites may have needs more in line with storing each host's audit data in separate subdirectories. The audit structure used will depend on each individual site.

The audit threshold line specifies the percentage of free space that must be present in the file system containing the current audit file. The format of the threshold line is:

minfree:percentage

where percentage is indicates the amount of free space required. If free space falls below this threshold, the audit daemon auditd(1M) invokes the shell script audit_warn(1M). If no threshold is specified, the default is 0%.

The audit flags line specifies the default system audit value. This value is combined with the user audit value read from audit_user(4) to form a user's process preselection mask.

The algorithm for obtaining the process preselection mask is as follows: the audit flags from the flags: line in the audit_control file are added to the flags from the always-audit field in the user's entry in the audit_user file. The flags from the never-audit field from the user's entry in the audit_user file are then subtracted from the total:

 
user's process preselection mask = 
   (flags: line + always audit flags) - never audit flags

The format of a flags line is:

flags:audit-flags

where audit-flags specifies which event classes are to be audited. The character string representation of audit-flags contains a series of flag names, each one identifying a single audit class, separated by commas. A name preceded by `-' means that the class should be audited for failure only; successful attempts are not audited. A name preceded by `+' means that the class should be audited for success only; failing attempts are not audited. Without a prefix, the name indicates that the class is to be audited for both successes and failures. The special string all indicates that all events should be audited; -all indicates that all failed attempts are to be audited, and +all all successful attempts. The prefixes ^, ^-, and ^+ turn off flags specified earlier in the string (^- and ^+ for failing and successful attempts, ^ for both). They are typically used to reset flags.

The non-attributable flags line is similar to the flags line, but this one contain the audit flags that define what classes of events are audited when an action cannot be attributed to a specific user. The format of a naflags line is:

naflags:audit-flags

The flags are separated by commas, with no spaces.

The following table lists the predefined audit classes:

 
short name        long name       short description
no              no_class        null value for turning off event preselection
fr		file_read	Read of data, open for reading, etc.
fw		file_write	Write of data, open for writing, etc.
fa		file_attr_acc	Access of object attributes: stat, pathconf, etc.
fm		file_attr_mod	Change of object attributes: chown, flock, etc.
fc		file_creation	Creation of object
fd		file_deletion	Deletion of object
cl		file_close	close(2) system call
pc		process		Process operations: fork, exec, exit, etc.
nt		network	Network events: bind, connect, accept, etc.
ip		ipc		System V IPC operations
na		non_attrib	non-attributable events
ad		administrative	administrative actions: mount, exportfs, etc.
lo		login_logout	Login and logout events
ap		application	Application auditing
io		ioctl		ioctl(2) system call
ex		exec		exec(2)  system call
ot		other		Everything else
all             all             All flags set

Note that the classes are configurable, see audit_class(4).

EXAMPLES

 Example 1. Sample /etc/security/audit_control file for the machine eggplant.
 

Here is a sample /etc/security/audit_control file for the machine eggplant:

 
dir: /etc/security/jedgar/eggplant
dir: /etc/security/jedgar.aux/eggplant
#
# Last-ditch audit file system when jedgar fills up.
#
dir: /etc/security/global/eggplant
minfree: 20
flags: lo,ad,-all,^-fm
naflags: lo,ad

This identifies server jedgar with two file systems normally used for audit data, another server global used only when jedgar fills up or breaks, and specifies that the warning script is run when the file systems are 80% filled. It also specifies that all logins, administrative operations are to be audited (whether or not they succeed), and that failures of all types except failures to access object attributes are to be audited.

FILES

 
/etc/security/audit_control
/etc/security/audit_warn
/etc/security/audit/*/*/*
/etc/security/audit_user

SEE ALSO

 

audit(1M), audit_warn(1M), auditd(1M), bsmconv(1M), audit(2), getfauditflags(3BSM), audit.log(4), audit_class(4), audit_user(4)

NOTES

 

The functionality described in this man page is available only if the Basic Security Module (BSM) has been enabled. See bsmconv(1M) for more information.


SunOS 5.9Go To TopLast Changed 16 Feb 2001

 
      
      
Copyright 2002 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms.