Unix/Linux Go Back    

OpenSolaris 2009.06 - man page for audit_control (opensolaris section 4)

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)

audit_control(4)			   File Formats 			 audit_control(4)

       audit_control - control information for system audit daemon


       The  audit_control  file  contains audit control information used by auditd(1M). Each line
       consists of a title and a string, separated by a colon. There are no restrictions  on  the
       order  of  lines  in the file, although some lines must appear only once. A line beginning
       with `#' is a comment. A line can be continued with the use of the backslash  (\)  conven-
       tion. (See EXAMPLES.)

       Directory  definition  lines list the directories to be used when creating audit files, in
       the order in which they are to be used. The format of a directory line is:


       directory-name is where the audit files will be created. Any valid writable directory  can
       be specified.

       The following configuration is recommended:


       where  server  is  the name of a central machine, since audit files belonging to different
       servers are usually stored in separate subdirectories of a  single  audit  directory.  The
       naming  convention normally has server be a directory on a server machine, and all clients
       mount /etc/security/audit/server at the same location in their local file systems. If  the
       same  server exports several different file systems for auditing, their server names will,
       of course, be different.

       There are several other ways for audit data to be arranged: some sites may have needs more
       in  line  with storing each host's audit data in separate subdirectories. The audit struc-
       ture used will depend on each individual site.

       The audit threshold line specifies the percentage of free space that must  be  present  in
       the file system containing the current audit file. The format of the threshold line is:


       where percentage is indicates the amount of free space required. If free space falls below
       this threshold, the audit daemon auditd(1M) invokes the shell script audit_warn(1M). If no
       threshold is specified, the default is 0%.

       The  plugin definition line selects a plugin to be loaded by the audit daemon for process-
       ing audit records.

       The format of a plugin line is:

	 plugin: keyword1=value1;keyword2=value2;

       The following keywords are defined:

       name	The value is the pathname of the plugin. This specification is required.

       qsize	The value is the maximum number of records to queue for audit data  sent  to  the
		plugin.  If  omitted,  the  current  hiwater mark (see the -getqctrl of auditcon-
		fig(1M)) is used. When this maximum is reached, auditd will either block or  dis-
		card data, depending on the audit policy cnt. See auditconfig(1M).

       p_*	A keyword with the prefix p_ is passed to the plugin defined by the value associ-
		ated with the name attribute. These attributes are defined for	each  plugin.  By
		convention,  if  the value associated with a plugin attribute is a list, the list
		items are separated with commas.

       If pathname is a relative path (it does not start with /) the library path will	be  taken
       as  relative  to  /usr/lib/security/$ISA. The $ISA token is replaced by an implementation-
       defined directory name that defines the path relative to the  auditd(1M)  instruction  set

       See audit_syslog(5) for the attributes expected for plugin: name=audit_syslog.so.

       No  plugin  specifier  is required for generation of a binary audit log. However, to set a
       queue size of other than the default, a plugin line with name=audit_binfile.so can be used
       as described in audit_binfile(5).

       You  must  specify  one	or more plugins. (In the case of audit_binfile.so, use of dir: or
       plugin: suffices.)

       The audit flags line specifies the default system audit value. This value is combined with
       the user audit value read from audit_user(4) to form a user's process preselection mask.

       The  algorithm  for obtaining the process preselection mask is as follows: the audit flags
       from the flags: line in the audit_control file are added to the	flags  from  the  always-
       audit  field  in  the  user's entry in the audit_user file. The flags from the never-audit
       field from the user's entry in the audit_user file are then subtracted from the total:

	 user's process preselection mask =
	    (flags: line + always audit flags) - never audit flags

       The format of a flags line is:


       where audit-flags specifies which event classes are to be audited.  The	character  string
       representation of audit-flags contains a series of flag names, each one identifying a sin-
       gle audit class, separated by commas. A name preceded by `-' means that the  class  should
       be  audited  for failure only; successful attempts are not audited. A name preceded by `+'
       means that the class should be audited for success only; failing attempts are not audited.
       Without	a  prefix,  the name indicates that the class is to be audited for both successes
       and failures. The special string all indicates that all events  should  be  audited;  -all
       indicates  that	all  failed attempts are to be audited, and +all all successful attempts.
       The prefixes ^, ^-, and ^+ turn off flags specified earlier in the string (^- and  ^+  for
       failing and successful attempts, ^ for both). They are typically used to reset flags.

       The  non-attributable  flags  line  is similar to the flags line, but this one contain the
       audit flags that define what classes of events are audited when an action  cannot  be  at-
       tributed to a specific user. The format of a naflags line is:


       The  flags  are	separated by commas, with no spaces. See audit_class(4) for a list of the
       predefined audit classes. Note that the classes are  configurable  as  also  described  in

       A line can be continued by appending a backslash (\).

       Example 1 Sample audit_control File for Specific Host

       The following is a sample /etc/security/audit_control file for the machine eggplant.

       The  file's  contents identify server jedgar with two file systems normally used for audit
       data, another server, global, used only when jedgar fills up or breaks, and specifies that
       the warning script is run when the file systems are 80% filled. It also specifies that all
       logins, administrative operations are to be audited, whether  or  not  they  succeed.  All
       failures except failures to access object attributes are to be audited.

	 dir: /etc/security/jedgar/eggplant
	 dir: /etc/security/jedgar.aux/eggplant
	 # Last-ditch audit file system when jedgar fills up.
	 dir: /etc/security/global/eggplant
	 minfree: 20
	 flags: lo,ad,-all,^-fm
	 naflags: lo,ad

       Example 2 Sample audit_control File for syslog and Local Storage

       Shown below is a sample /etc/security/audit_control file for syslog and local storage. For
       the binary log, the output is all lo and ad records, all failures  of  class  fm  and  any
       classes specified by means of audit_user(4). For syslog output, all lo records are output,
       only failure ad records are output, and no fm records are output.  The  specification  for
       the plugin is given in two lines.

	 dir: /etc/security/jedgar/eggplant
	 dir: /etc/security/jedgar.aux/eggplant
	 # Last-ditch audit file system when jedgar fills up.
	 dir: /etc/security/global/eggplant
	 minfree: 20
	 flags: lo,ad,-fm
	 naflags: lo,ad
	 plugin: name=audit_syslog.so;p_flags=lo,+ad;\

       Example 3 Overriding the Default Queue Size

       Shown  below is a sample /etc/security/audit_control file that overrides the default queue
       size for binary audit log file generation.

	 dir: /etc/security/jedgar/eggplant
	 dir: /etc/security/jedgar.aux/eggplant
	 # Last-ditch audit file system when jedgar fills up.
	 dir: /etc/security/global/eggplant
	 minfree: 20
	 flags: lo,ad,-fm
	 naflags: lo,ad
	 plugin: name=audit_binfile.so; qsize=256





       See attributes(5) for descriptions of the following attributes:

       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       |Interface Stability	     | Committed		   |

       audit(1M),  audit_warn(1M),  auditd(1M),  bsmconv(1M),	audit(2),   getfauditflags(3BSM),
       audit.log(4),  audit_class(4),  audit_user(4), attributes(5), audit_binfile(5), audit_sys-

       Part VII, Solaris Auditing, in System Administration Guide: Security Services

       Use of the plugin configuration line to include audit_syslog.so	requires  that	/etc/sys-
       log.conf be configured for audit data. See audit_syslog(5) for more details.

       Configuration  changes  do  not	affect	audit sessions that are currently running, as the
       changes do not modify a process's preselection mask. To change the preselection mask on	a
       running	process,  use  the  -setpmask  option  of  the auditconfig command (see auditcon-
       fig(1M)). If the user logs out and logs back in, the new  configuration	changes  will  be
       reflected in the next audit session.

SunOS 5.11				   26 Jun 2008				 audit_control(4)
Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums

All times are GMT -4. The time now is 01:42 AM.