audit_control - control information for system audit daemon




     The audit_control file contains  audit  control  information
     used  by  auditd(1M).  Each  line  consists of a title and a
     string, separated by a colon. There are no  restrictions  on
     the  order  of  lines  in the file, although some lines must
     appear only once. A line beginning with `#' is a comment.

     Directory definition lines list the directories to  be  used
     when creating audit files, in the order in which they are to
     be used. The format of a directory line is:


     directory-name is where the audit files will be created. Any
     valid writable directory can be specified.

     The following configuration is recommended:


     where server is the name of a central machine,  since  audit
     files  belonging  to different servers are usually stored in
     separate subdirectories of a  single  audit  directory.  The
     naming  convention  normally  has server be a directory on a
     server     machine,     and      all      clients      mount
     /etc/security/audit/server  at  the  same  location in their
     local file systems. If the same server exports several  dif-
     ferent  file  systems for auditing, their server names will,
     of course, be different.

     There are several other ways for audit data to be  arranged:
     some  sites  may  have  needs more in line with storing each
     host's audit data  in  separate  subdirectories.  The  audit
     structure used will depend on each individual site.

     The audit threshold line specifies the  percentage  of  free
     space that must be present in the file system containing the
     current audit file. The format of the threshold line is:


     where percentage is  indicates  the  amount  of  free  space
     required.  If  free  space  falls  below this threshold, the
     audit   daemon   auditd(1M)   invokes   the   shell   script
     audit_warn(1M). If no threshold is specified, the default is

     The audit flags line  specifies  the  default  system  audit
     value. This value is combined with the user audit value read
     from audit_user(4) to form  a  user's  process  preselection

     The algorithm for obtaining the process preselection mask is
     as  follows:  the  audit  flags  from the flags: line in the
     audit_control file are added to the flags from  the  always-
     audit  field in the user's entry in the audit_user file. The
     flags from the never-audit field from the  user's  entry  in
     the audit_user file are then subtracted from the total:

     user's process preselection mask =
        (flags: line + always audit flags) - never audit flags

     The format of a flags line is:


     where audit-flags specifies which event classes  are  to  be
     audited.  The character string representation of audit-flags
     contains a series of flag names, each one identifying a sin-
     gle audit class, separated by commas. A name preceded by `-'
     means that the class should be  audited  for  failure  only;
     successful  attempts are not audited. A name preceded by `+'
     means that the class should be  audited  for  success  only;
     failing attempts are not audited. Without a prefix, the name
     indicates that the class is to be audited for both successes
     and  failures.  The  special  string  all indicates that all
     events should be audited; -all  indicates  that  all  failed
     attempts   are  to  be  audited,  and  +all  all  successful
     attempts. The prefixes ^, ^-, and ^+ turn off  flags  speci-
     fied  earlier  in the string (^- and ^+ for failing and suc-
     cessful attempts, ^ for both). They are  typically  used  to
     reset flags.

     The non-attributable flags line  is  similar  to  the  flags
     line,  but this one contain the audit flags that define what
     classes of events are  audited  when  an  action  cannot  be
     attributed  to a specific user. The format of a naflags line


     The flags are separated by commas, with no spaces.

     The following table lists the predefined audit classes:

     Short name        Long name           Short description

     no                no_class            Null value for turning off event
     fr                file_read           Read of data, open for
                                             reading, etc.
     fw                file_write          Write of data, open for
                                             writing, etc.
     fa                file_attr_ac        Access of object attributes:
                                             stat, pathconf, etc.
     fm                file_attr_mod       Change of object attributes:
                                             chown, flock, etc.
     fc                file_creation       Creation of object
     fd                file_deletion       Deletion of object
     cl                file_close          close(2) system call
     pc                process             Process operations; meta-class
                                             for pm,ps
     ps                proc_start_stop     Process start/stop: fork, exec,
                                             exit, etc.
     pm                proc_modify         Process modify: kill,
                                             setpriority, etc.
     nt                network             Network events: bind,
                                             connect, accept, etc.
     ip                ipc                 System V IPC operations
     na                non_attrib          Non-attributable events
     ad                old administrative  Administrative actions: meta-class
                                             for ss,as,ua,aa
     am                administrative      Administration actions: meta-class
                                             for ss,as,ua
     ss                system_state        Change of system state: halt,
                                             reboot, etc.
     as                admin_system        System-wide administration:
                                             mount, exportfs, etc.
     ua                admin_user          User administration: allocate,
                                            create user, etc.
     aa                audit_use           Normal use of audit system:
                                             getaudit, auditon - get
                                             policy, etc.
     lo                login_logout        Login and logout events
     ap                application         Application auditing
     io                ioctl               ioctl(2) system call
     ex                exec                exec(2)  system call
     ot                other               Everything else
     all               all                 All flags set

     The classes are configurable, see audit_class(4).


     Example 1: Using an /etc/security/audit_control File

     The following is a sample  /etc/security/audit_control  file
     for the machine eggplant.

     This identifies server jedgar with two file systems normally
     used  for  audit  data, another server global used only when
     jedgar fills up or breaks, and specifies  that  the  warning
     script  is run when the file systems are 80% filled. It also
     specifies that all logins, administrative operations are  to
     be audited, whether or not they succeed. All failures except
     failures to access object attributes are to be audited.

     dir: /etc/security/jedgar/eggplant
     dir: /etc/security/jedgar.aux/eggplant
     # Last-ditch audit file system when jedgar fills up.
     dir: /etc/security/global/eggplant
     minfree: 20
     flags: lo,ad,-all,^-fm
     naflags: lo,ad







     See attributes(5) for descriptions of the  following  attri-

    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    | Interface Stability         |  See below                  |

     The file format stability is evolving. The file  content  is


     audit(1M),    audit_warn(1M),    auditd(1M),    bsmconv(1M),
     audit(2),         getfauditflags(3BSM),        audit.log(4),
     audit_class(4), audit_user(4)


     This functionality is available only if the  Basic  Security
     Module  (BSM)  has  been  enabled.  See bsmconv(1M) for more

Man(1) output converted with man2html