All configuration files for security audit are found in
/etc/security
. The
following files must be present before the audit daemon is
started:
audit_class
- Contains the
definitions of the audit classes.
audit_control
- Controls aspects
of the audit subsystem, such as default audit classes,
minimum disk space to leave on the audit log volume,
maximum audit trail size, etc.
audit_event
- Textual names and
descriptions of system audit events, as well as a list of
which classes each event is in.
audit_user
- User-specific audit
requirements, which are combined with the global defaults at
login.
audit_warn
- A customizable shell
script used by auditd(8) to generate warning messages
in exceptional situations, such as when space for audit
records is running low or when the audit trail file has
been rotated.
Audit configuration files should be edited and maintained carefully, as errors in configuration may result in improper logging of events.
Selection expressions are used in a number of places in the audit configuration to determine which events should be audited. Expressions contain a list of event classes to match, each with a prefix indicating whether matching records should be accepted or ignored, and optionally to indicate if the entry is intended to match successful or failed operations. Selection expressions are evaluated from left to right, and two expressions are combined by appending one onto the other.
The following list contains the default audit event
classes present in audit_class
:
all
- all -
Match all event classes.
ad
-
administrative - Administrative
actions performed on the system as a whole.
ap
-
application - Application defined
action.
cl
-
file close - Audit calls to the
close
system call.
ex
- exec -
Audit program execution. Auditing of command line
arguments and environmental variables is controlled via
audit_control(5) using the argv
and envv
parameters to the
policy
setting.
fa
-
file attribute access - Audit the
access of object attributes such as stat(1),
pathconf(2) and similar events.
fc
-
file create - Audit events where a
file is created as a result.
fd
-
file delete - Audit events where file
deletion occurs.
fm
-
file attribute modify - Audit events
where file attribute modification occurs, such as
chown(8), chflags(1), flock(2), etc.
fr
- file read
- Audit events in which data is read, files are opened for
reading, etc.
fw
-
file write - Audit events in which
data is written, files are written or modified,
etc.
io
- ioctl -
Audit use of the ioctl(2) system call.
ip
- ipc -
Audit various forms of Inter-Process Communication,
including POSIX pipes and System V IPC
operations.
lo
-
login_logout - Audit login(1)
and logout(1) events occurring on the system.
na
-
non attributable - Audit
non-attributable events.
no
-
invalid class - Match no audit
events.
nt
- network -
Audit events related to network actions, such as
connect(2) and accept(2).
ot
- other -
Audit miscellaneous events.
pc
- process -
Audit process operations, such as exec(3) and
exit(3).
These audit event classes may be customized by modifying
the audit_class
and audit_
event
configuration files.
Each audit class in the list is combined with a prefix indicating whether successful/failed operations are matched, and whether the entry is adding or removing matching for the class and type.
(none) Audit both successful and failed instances of the event.
+
Audit successful events in this
class.
-
Audit failed events in this
class.
^
Audit neither successful nor
failed events in this class.
^+
Do not audit successful events
in this class.
^-
Do not audit failed events in
this class.
The following example selection string selects both successful and failed login/logout events, but only successful execution events:
In most cases, administrators will need to modify only two
files when configuring the audit system: audit_
control
and audit_user
.
The first controls system-wide audit properties and policies;
the second may be used to fine-tune auditing by user.
A number of defaults for the audit subsystem are
specified in audit_control
:
The dir
entry is used to set one or
more directories where audit logs will be stored. If more
than one directory entry appears, they will be used in order
as they fill. It is common to configure audit so that audit
logs are stored on a dedicated file system, in order to
prevent interference between the audit subsystem and other
subsystems if the file system fills.
The flags
field sets the system-wide
default preselection mask for attributable events. In the
example above, successful and failed login and logout events
are audited for all users.
The minfree
entry defines the minimum
percentage of free space for the file system where the audit
trail is stored. When this threshold is exceeded, a warning
will be generated. The above example sets the minimum free
space to twenty percent.
The naflags
entry specifies audit classes
to be audited for non-attributed events, such as the login
process and system daemons.
The policy
entry specifies a
comma-separated list of policy flags controlling various
aspects of audit behavior. The default
cnt
flag indicates that the system should
continue running despite an auditing failure (this flag is
highly recommended). Another commonly used flag is
argv
, which causes command line arguments
to the execve(2) system call to be audited as part of
command execution.
The filesz
entry specifies the maximum
size in bytes to allow an audit trail file to grow to before
automatically terminating and rotating the trail file. The
default, 0, disables automatic log rotation. If the
requested file size is non-zero and below the minimum 512k,
it will be ignored and a log message will be
generated.
The administrator can specify further audit requirements
for specific users in audit_user
.
Each line configures auditing for a user via two fields:
the first is the alwaysaudit
field,
which specifies a set of events that should always be
audited for the user, and the second is the
neveraudit
field, which specifies a set
of events that should never be audited for the user.
The following example audit_user
audits login/logout events and successful command
execution for root
, and audits
file creation and successful command execution for
www
. If used with the above example
audit_control
, the
lo
entry for root
is
redundant, and login/logout events will also be audited for
www
.
All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.