Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Apropos / Subsearch:
optional field

audit_control(4)                 File Formats                 audit_control(4)

       audit_control - control information for system audit daemon


       The  audit_control  file  contains  audit  control  information used by
       auditd(1M). Each line consists of a title and a string, separated by  a
       colon.  There  are  no  restrictions on the order of lines in the file,
       although some lines must appear only once. A line beginning with `#' is
       a  comment.  A  line can be continued with the use of the backslash (\)
       convention. (See EXAMPLES.)

       Directory definition lines list the directories to be used when  creat-
       ing  audit files, in the order in which they are to be used. The format
       of a directory line is:


       directory-name is where the audit files  will  be  created.  Any  valid
       writable directory can be specified.

       The following configuration is recommended:


       where  server  is  the  name  of  a  central machine, since audit files
       belonging to different servers are usually stored in separate subdirec-
       tories  of a single audit directory. The naming convention normally has
       server be a directory on  a  server  machine,  and  all  clients  mount
       /etc/security/audit/server  at  the  same  location in their local file
       systems. If the same server exports several different file systems  for
       auditing, their server names will, of course, be different.

       There  are several other ways for audit data to be arranged: some sites
       may have needs more in line with storing each host's audit data in sep-
       arate  subdirectories.  The  audit  structure  used will depend on each
       individual site.

       The audit threshold line specifies the percentage of  free  space  that
       must  be  present in the file system containing the current audit file.
       The format of the threshold line is:


       where percentage is indicates the amount of  free  space  required.  If
       free  space  falls  below  this  threshold, the audit daemon auditd(1M)
       invokes the shell script audit_warn(1M). If no threshold is  specified,
       the default is 0%.

       The  plugin  definition line selects a plugin to be loaded by the audit
       daemon for processing audit records.

       The format of a plugin line is:

       plugin: keyword1=value1;keyword2=value2;

       The following keywords are defined:


           The value is the pathname of  the  plugin.  This  specification  is


           The  value is the maximum number of records to queue for audit data
           sent to the plugin. If omitted, the current hiwater mark  (see  the
           -getqctrl  of  auditconfig(1M))  is  used.  When  this  maximum  is
           reached, auditd will either block or discard data, depending on the
           audit policy cnt. See auditconfig(1M).


           A keyword with the prefix p_ is passed to the plugin defined by the
           value associated with the  name  attribute.  These  attributes  are
           defined  for  each  plugin.  By convention, if the value associated
           with a plugin attribute is a list, the  list  items  are  separated
           with commas.

       If  pathname  is a relative path (it does not start with /) the library
       path will be taken as  relative  to  /usr/lib/security/$ISA.  The  $ISA
       token  is  replaced  by  an  implementation-defined directory name that
       defines the path relative to the auditd(1M) instruction  set  architec-

       See   audit_syslog(5)   for   the   attributes   expected  for  plugin:

       No plugin specifier is required for generation of a binary  audit  log.
       However,  to  set a queue size of other than the default, a plugin line
       with name=audit_binfile.so can  be  used  as  described  in  audit_bin-

       You  must  specify  one  or  more  plugins.  (In the case of audit_bin-
       file.so, use of dir: or plugin: suffices.)

       The audit flags line specifies the default  system  audit  value.  This
       value  is combined with the user audit value read from audit_user(4) to
       form a user's process preselection mask.

       The algorithm for obtaining the process preselection mask  is  as  fol-
       lows:  the  audit  flags from the flags: line in the audit_control file
       are added to the flags from the always-audit field in the user's  entry
       in  the  audit_user file. The flags from the never-audit field from the
       user's entry in the audit_user file are then subtracted from the total:

       user's process preselection mask =
          (flags: line + always audit flags) - never audit flags

       The format of a flags line is:


       where audit-flags specifies which event classes are to be audited.  The
       character  string  representation  of  audit-flags contains a series of
       flag names, each one identifying a single  audit  class,  separated  by
       commas.  A  name preceded by `-' means that the class should be audited
       for failure only; successful attempts are not audited. A name  preceded
       by `+' means that the class should be audited for success only; failing
       attempts are not audited. Without a prefix, the name indicates that the
       class  is  to  be  audited for both successes and failures. The special
       string all indicates that all events should be audited; -all  indicates
       that  all  failed  attempts  are to be audited, and +all all successful
       attempts. The prefixes ^, ^-, and ^+ turn off flags  specified  earlier
       in  the  string  (^-  and ^+ for failing and successful attempts, ^ for
       both). They are typically used to reset flags.

       The non-attributable flags line is similar to the flags line, but  this
       one  contain  the  audit  flags  that define what classes of events are
       audited when an action cannot be attributed to  a  specific  user.  The
       format of a naflags line is:


       The  flags  are separated by commas, with no spaces. See audit_class(4)
       for a list of the predefined audit classes.  Note that the classes  are
       configurable as also described in audit_class(4).

       A line can be continued by appending a backslash (\).

       Example 1: Sample audit_control File for Specific Host

       The  following  is  a  sample  /etc/security/audit_control file for the
       machine eggplant.

       The file's contents identify server jedgar with two file  systems  nor-
       mally  used  for  audit  data,  another  server, global, used only when
       jedgar fills up or breaks, and specifies that the warning script is run
       when  the  file  systems  are  80%  filled.  It also specifies that all
       logins, administrative operations are to be  audited,  whether  or  not
       they  succeed. All failures except failures to access object attributes
       are to be audited.

       dir: /etc/security/jedgar/eggplant
       dir: /etc/security/jedgar.aux/eggplant
       # Last-ditch audit file system when jedgar fills up.
       dir: /etc/security/global/eggplant
       minfree: 20
       flags: lo,ad,-all,^-fm
       naflags: lo,ad

       Example 2: Sample audit_control File for syslog and Local Storage

       Shown below is a sample /etc/security/audit_control file for syslog and
       local storage. For the binary log, the output is all lo and ad records,
       all failures of  class  fm  and  any  classes  specified  by  means  of
       audit_user(4). For syslog output, all lo records are output, only fail-
       ure ad records are output, and no fm records are output. The specifica-
       tion for the plugin is given in two lines.

       dir: /etc/security/jedgar/eggplant
       dir: /etc/security/jedgar.aux/eggplant
       # Last-ditch audit file system when jedgar fills up.
       dir: /etc/security/global/eggplant
       minfree: 20
       flags: lo,ad,-fm
       naflags: lo,ad
       plugin: name=audit_syslog.so;p_flags=lo,+ad;\

       Example 3: Overriding the Default Queue Size

       Shown below is a sample /etc/security/audit_control file that overrides
       the default queue size for binary audit log file generation.

       dir: /etc/security/jedgar/eggplant
       dir: /etc/security/jedgar.aux/eggplant
       # Last-ditch audit file system when jedgar fills up.
       dir: /etc/security/global/eggplant
       minfree: 20
       flags: lo,ad,-fm
       naflags: lo,ad
       plugin: name=audit_binfile.so; qsize=256





       See attributes(5) for descriptions of the following attributes:

       tab()    allbox;    cw(2.750000i)|     cw(2.750000i)     lw(2.750000i)|
       lw(2.750000i).    ATTRIBUTE  TYPEATTRIBUTE  VALUE  Interface  Stability

       audit(1M), audit_warn(1M), auditd(1M), bsmconv(1M),  audit(2),  getfau-
       ditflags(3BSM),     audit.log(4),     audit_class(4),    audit_user(4),
       attributes(5), audit_binfile(5), audit_syslog(5)

       Use  of  the  plugin  configuration  line  to  include  audit_syslog.so
       requires  that  /etc/syslog.conf  be  configured  for  audit  data. See
       audit_syslog(5) for more details.

SunOS 5.10                        20 Mar 2003                 audit_control(4)