1audit_control(4) File Formats audit_control(4)
2
3
4
6 audit_control - control information for system audit daemon
7
9 /etc/security/audit_control
10
11
13 The audit_control file contains audit control information used by
14 auditd(1M). Each line consists of a title and a string, separated by a
15 colon. There are no restrictions on the order of lines in the file,
16 although some lines must appear only once. A line beginning with `#' is
17 a comment. A line can be continued with the use of the backslash (\)
18 convention. (See EXAMPLES.)
19
20
21 Directory definition lines list the directories to be used when creat‐
22 ing audit files, in the order in which they are to be used. The format
23 of a directory line is:
24
25
26 dir:directory-name
27
28
29 directory-name is where the audit files will be created. Any valid
30 writable directory can be specified.
31
32
33 The following configuration is recommended:
34
35
36 /etc/security/audit/server/files
37
38
39 where server is the name of a central machine, since audit files
40 belonging to different servers are usually stored in separate subdirec‐
41 tories of a single audit directory. The naming convention normally has
42 server be a directory on a server machine, and all clients mount
43 /etc/security/audit/server at the same location in their local file
44 systems. If the same server exports several different file systems for
45 auditing, their server names will, of course, be different.
46
47
48 There are several other ways for audit data to be arranged: some sites
49 may have needs more in line with storing each host's audit data in sep‐
50 arate subdirectories. The audit structure used will depend on each
51 individual site.
52
53
54 The audit threshold line specifies the percentage of free space that
55 must be present in the file system containing the current audit file.
56 The format of the threshold line is:
57
58
59 minfree:percentage
60
61
62 where percentage is indicates the amount of free space required. If
63 free space falls below this threshold, the audit daemon auditd(1M)
64 invokes the shell script audit_warn(1M). If no threshold is specified,
65 the default is 0%.
66
67
68 The plugin definition line selects a plugin to be loaded by the audit
69 daemon for processing audit records.
70
71
72 The format of a plugin line is:
73
74 plugin: keyword1=value1;keyword2=value2;
75
76
77
78
79 The following keywords are defined:
80
81 name The value is the pathname of the plugin. This specification is
82 required.
83
84
85 qsize The value is the maximum number of records to queue for audit
86 data sent to the plugin. If omitted, the current hiwater mark
87 (see the -getqctrl of auditconfig(1M)) is used. When this max‐
88 imum is reached, auditd will either block or discard data,
89 depending on the audit policy cnt. See auditconfig(1M).
90
91
92 p_* A keyword with the prefix p_ is passed to the plugin defined
93 by the value associated with the name attribute. These
94 attributes are defined for each plugin. By convention, if the
95 value associated with a plugin attribute is a list, the list
96 items are separated with commas.
97
98
99
100 If pathname is a relative path (it does not start with /) the library
101 path will be taken as relative to /usr/lib/security/$ISA. The $ISA
102 token is replaced by an implementation-defined directory name that
103 defines the path relative to the auditd(1M) instruction set architec‐
104 ture.
105
106
107 See audit_syslog(5) for the attributes expected for plugin:
108 name=audit_syslog.so.
109
110
111 No plugin specifier is required for generation of a binary audit log.
112 However, to set a queue size of other than the default, a plugin line
113 with name=audit_binfile.so can be used as described in audit_bin‐
114 file(5).
115
116
117 You must specify one or more plugins. (In the case of audit_binfile.so,
118 use of dir: or plugin: suffices.)
119
120
121 The audit flags line specifies the default system audit value. This
122 value is combined with the user audit value read from audit_user(4) to
123 form a user's process preselection mask.
124
125
126 The algorithm for obtaining the process preselection mask is as fol‐
127 lows: the audit flags from the flags: line in the audit_control file
128 are added to the flags from the always-audit field in the user's entry
129 in the audit_user file. The flags from the never-audit field from the
130 user's entry in the audit_user file are then subtracted from the total:
131
132 user's process preselection mask =
133 (flags: line + always audit flags) - never audit flags
134
135
136
137
138 The format of a flags line is:
139
140
141 flags:audit-flags
142
143
144 where audit-flags specifies which event classes are to be audited. The
145 character string representation of audit-flags contains a series of
146 flag names, each one identifying a single audit class, separated by
147 commas. A name preceded by `−' means that the class should be audited
148 for failure only; successful attempts are not audited. A name preceded
149 by `+' means that the class should be audited for success only; failing
150 attempts are not audited. Without a prefix, the name indicates that the
151 class is to be audited for both successes and failures. The special
152 string all indicates that all events should be audited; −all indicates
153 that all failed attempts are to be audited, and +all all successful
154 attempts. The prefixes ^, ^−, and ^+ turn off flags specified earlier
155 in the string (^− and ^+ for failing and successful attempts, ^ for
156 both). They are typically used to reset flags.
157
158
159 The non-attributable flags line is similar to the flags line, but this
160 one contain the audit flags that define what classes of events are
161 audited when an action cannot be attributed to a specific user. The
162 format of a naflags line is:
163
164
165 naflags:audit-flags
166
167
168 The flags are separated by commas, with no spaces. See audit_class(4)
169 for a list of the predefined audit classes. Note that the classes are
170 configurable as also described in audit_class(4).
171
172
173 A line can be continued by appending a backslash (\).
174
176 Example 1 Sample audit_control File for Specific Host
177
178
179 The following is a sample /etc/security/audit_control file for the
180 machine eggplant.
181
182
183
184 The file's contents identify server jedgar with two file systems nor‐
185 mally used for audit data, another server, global, used only when
186 jedgar fills up or breaks, and specifies that the warning script is run
187 when the file systems are 80% filled. It also specifies that all
188 logins, administrative operations are to be audited, whether or not
189 they succeed. All failures except failures to access object attributes
190 are to be audited.
191
192
193 dir: /etc/security/jedgar/eggplant
194 dir: /etc/security/jedgar.aux/eggplant
195 #
196 # Last-ditch audit file system when jedgar fills up.
197 #
198 dir: /etc/security/global/eggplant
199 minfree: 20
200 flags: lo,ad,-all,^-fm
201 naflags: lo,ad
202
203
204
205 Example 2 Sample audit_control File for syslog and Local Storage
206
207
208 Shown below is a sample /etc/security/audit_control file for syslog and
209 local storage. For the binary log, the output is all lo and ad records,
210 all failures of class fm and any classes specified by means of
211 audit_user(4). For syslog output, all lo records are output, only fail‐
212 ure ad records are output, and no fm records are output. The specifica‐
213 tion for the plugin is given in two lines.
214
215
216 dir: /etc/security/jedgar/eggplant
217 dir: /etc/security/jedgar.aux/eggplant
218 #
219 # Last-ditch audit file system when jedgar fills up.
220 #
221 dir: /etc/security/global/eggplant
222 minfree: 20
223 flags: lo,ad,-fm
224 naflags: lo,ad
225 plugin: name=audit_syslog.so;p_flags=lo,+ad;\
226 qsize=512
227
228
229
230 Example 3 Overriding the Default Queue Size
231
232
233 Shown below is a sample /etc/security/audit_control file that overrides
234 the default queue size for binary audit log file generation.
235
236
237 dir: /etc/security/jedgar/eggplant
238 dir: /etc/security/jedgar.aux/eggplant
239 #
240 # Last-ditch audit file system when jedgar fills up.
241 #
242 dir: /etc/security/global/eggplant
243 minfree: 20
244 flags: lo,ad,-fm
245 naflags: lo,ad
246 plugin: name=audit_binfile.so; qsize=256
247
248
249
251 /etc/security/audit_control
252
253
254 /etc/security/audit_warn
255
256
257 /etc/security/audit/*/*/*
258
259
260 /etc/security/audit_user
261
263 See attributes(5) for descriptions of the following attributes:
264
265
266
267
268 ┌─────────────────────────────┬─────────────────────────────┐
269 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
270 ├─────────────────────────────┼─────────────────────────────┤
271 │Interface Stability │Obsolete Committed │
272 └─────────────────────────────┴─────────────────────────────┘
273
275 audit(1M), audit_warn(1M), auditd(1M), bsmconv(1M), audit(2), getfau‐
276 ditflags(3BSM), audit.log(4), audit_class(4), audit_user(4),
277 attributes(5), audit_binfile(5), audit_syslog(5)
278
279
280 Part VII, Solaris Auditing, in System Administration Guide: Security
281 Services
282
284 Use of the plugin configuration line to include audit_syslog.so
285 requires that /etc/syslog.conf be configured for audit data. See
286 audit_syslog(5) for more details.
287
288
289 Configuration changes do not affect audit sessions that are currently
290 running, as the changes do not modify a process's preselection mask. To
291 change the preselection mask on a running process, use the -setpmask
292 option of the auditconfig command (see auditconfig(1M)). If the user
293 logs out and logs back in, the new configuration changes will be
294 reflected in the next audit session.
295
296
297 This file is Obsolete and may be removed and replaced with equivalent
298 functionality in a future release of Solaris.
299
300
301
302SunOS 5.11 16 Apr 2009 audit_control(4)