audit_control - control information for system audit daemon
The audit_control file contains audit control information
used by auditd(1M). Each line consists of a title and a
string, separated by a colon. There are no restrictions on
the order of lines in the file, although some lines must
appear only once. A line beginning with `#' is a comment.
Directory definition lines list the directories to be used
when creating audit files, in the order in which they are to
be used. The format of a directory line is:
directory-name is where the audit files will be created. Any
valid writable directory can be specified.
The following configuration is recommended:
where server is the name of a central machine, since audit
files belonging to different servers are usually stored in
separate subdirectories of a single audit directory. The
naming convention normally has server be a directory on a
server machine, and all clients mount
/etc/security/audit/server at the same location in their
local file systems. If the same server exports several dif-
ferent file systems for auditing, their server names will,
of course, be different.
There are several other ways for audit data to be arranged:
some sites may have needs more in line with storing each
host's audit data in separate subdirectories. The audit
structure used will depend on each individual site.
The audit threshold line specifies the percentage of free
space that must be present in the file system containing the
current audit file. The format of the threshold line is:
where percentage is indicates the amount of free space
required. If free space falls below this threshold, the
audit daemon auditd(1M) invokes the shell script
audit_warn(1M). If no threshold is specified, the default is
The audit flags line specifies the default system audit
value. This value is combined with the user audit value read
from audit_user(4) to form a user's process preselection
The algorithm for obtaining the process preselection mask is
as follows: the audit flags from the flags: line in the
audit_control file are added to the flags from the always-
audit field in the user's entry in the audit_user file. The
flags from the never-audit field from the user's entry in
the audit_user file are then subtracted from the total:
user's process preselection mask =
(flags: line + always audit flags) - never audit flags
The format of a flags line is:
where audit-flags specifies which event classes are to be
audited. The character string representation of audit-flags
contains a series of flag names, each one identifying a sin-
gle audit class, separated by commas. A name preceded by `-'
means that the class should be audited for failure only;
successful attempts are not audited. A name preceded by `+'
means that the class should be audited for success only;
failing attempts are not audited. Without a prefix, the name
indicates that the class is to be audited for both successes
and failures. The special string all indicates that all
events should be audited; -all indicates that all failed
attempts are to be audited, and +all all successful
attempts. The prefixes ^, ^-, and ^+ turn off flags speci-
fied earlier in the string (^- and ^+ for failing and suc-
cessful attempts, ^ for both). They are typically used to
The non-attributable flags line is similar to the flags
line, but this one contain the audit flags that define what
classes of events are audited when an action cannot be
attributed to a specific user. The format of a naflags line
The flags are separated by commas, with no spaces.
The following table lists the predefined audit classes:
Short name Long name Short description
no no_class Null value for turning off event
fr file_read Read of data, open for
fw file_write Write of data, open for
fa file_attr_ac Access of object attributes:
stat, pathconf, etc.
fm file_attr_mod Change of object attributes:
chown, flock, etc.
fc file_creation Creation of object
fd file_deletion Deletion of object
cl file_close close(2) system call
pc process Process operations; meta-class
ps proc_start_stop Process start/stop: fork, exec,
pm proc_modify Process modify: kill,
nt network Network events: bind,
connect, accept, etc.
ip ipc System V IPC operations
na non_attrib Non-attributable events
ad old administrative Administrative actions: meta-class
am administrative Administration actions: meta-class
ss system_state Change of system state: halt,
as admin_system System-wide administration:
mount, exportfs, etc.
ua admin_user User administration: allocate,
create user, etc.
aa audit_use Normal use of audit system:
getaudit, auditon - get
lo login_logout Login and logout events
ap application Application auditing
io ioctl ioctl(2) system call
ex exec exec(2) system call
ot other Everything else
all all All flags set
The classes are configurable, see audit_class(4).
Example 1: Using an /etc/security/audit_control File
The following is a sample /etc/security/audit_control file
for the machine eggplant.
This identifies server jedgar with two file systems normally
used for audit data, another server global used only when
jedgar fills up or breaks, and specifies that the warning
script is run when the file systems are 80% filled. It also
specifies that all logins, administrative operations are to
be audited, whether or not they succeed. All failures except
failures to access object attributes are to be audited.
# Last-ditch audit file system when jedgar fills up.
See attributes(5) for descriptions of the following attri-
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
| Interface Stability | See below |
The file format stability is evolving. The file content is
audit(1M), audit_warn(1M), auditd(1M), bsmconv(1M),
audit(2), getfauditflags(3BSM), audit.log(4),
This functionality is available only if the Basic Security
Module (BSM) has been enabled. See bsmconv(1M) for more
Man(1) output converted with