Manual page for AUDIT_CONTROL(5)
audit_control - control information for system audit daemon
SYNOPSIS
/etc/security/audit/audit_control
DESCRIPTION
The
audit_control
file contains audit control information read by
auditd.8
Each line consists of a title and a string, separated by a colon.
There are no restrictions on the order of lines in the file,
although some lines must appear only once.
A line beginning with
`#'
is a comment.
Directory definition lines list the directories to be used
when creating audit files, in the order in which they are to be used.
The format of a directory line is:
-
dir: directory-name
where
directory-name
is the name of a directory in which to create audit files,
with the form:
-
/etc/security/audit/server/machine
where
server
is the name of an audit file system on the machine
where this audit directory resides, and
machine
is the name of the local machine,
since audit files belonging to different machines are, by convention,
stored in separate subdirectories of a single audit directory.
The naming convention normally has
server
be the name of a server machine, and all clients mount
/etc/security/audit/server
at the same location in their local file systems.
If the same server exports several different file systems for auditing, their
server
names will, of course, be different.
The audit threshold line specifies the percentage of free space
that must be present in the file system containing the current audit file.
The format of the threshold line is:
-
minfree: percentage
where
percentage
is indicates the amount of free space required.
If free space falls below this threshold, the audit daemon
auditd.8
invokes the shell script
/etc/security/audit/audit_warn.
If no threshold is specified, the default is 0%.
The audit flags line specifies the default system audit value.
This value is combined with the user audit value read from
/etc/security/passwd.adjunct
to form the process audit state. The user audit value overrides
the system audit value.
The format of a flags line is:
-
flags: audit-flags
where
audit-flags
specifies which event classes are to be audited.
The character string representation of
audit-flags
contains a series of flag
names, each one identifying a single audit class, separated by commas.
A name preceded by
`-'
means that the class should be audited for failure only;
successful attempts are not audited.
A name preceded by
`+'
means that the class should be audited for success only;
failing attempts are not audited.
Without a prefix, the name indicates that the class is to be audited
for both successes and failures.
The special string
all
indicates that all events should be audited;
-all
indicates that all failed attempts are to be audited, and
+all
all successful attempts.
The prefixes
^,
^-,
and
^+
turn off
flags specified earlier in the string
(^-
and
^+
for failing and successful attempts,
^
for both).
They are typically used to reset flags.
The following table lists the audit classes:
short name long name short description
dr data_read Read of data, open for reading, etc.
dw data_write Write or modification of data
dc data_create Creation or deletion of any object
da data_access_change Change in object access (modes, owner)
lo login_logout Login, logout, creation by .Hr -url ../html1/at.1.html at(1)
ad administrative Normal administrative operation
p0 minor_privilege Privileged operation
p1 major_privilege Unusual privileged operation
EXAMPLE
Here is a sample
/etc/security/audit_control
file for the machine eggplant:
-
dir: /etc/security/audit/jedgar/eggplant
dir: /etc/security/audit/jedgar.aux/eggplant
#
# Last-ditch audit file system when jedgar fills up.
#
dir: /etc/security/audit/global/eggplant
minfree: 20
flags: lo,p0,p1,ad,-all,^-da
This identifies server
jedgar
with two file systems normally used for audit data, another server
global
used only when
jedgar
fills up or breaks,
and specifies that the warning script is run
when the file systems are 80% filled.
It also specifies that all logins, privileged and administrative operations
are to be audited (whether or not they succeed),
and that failures of all types except failures to access data
are to be audited.
FILES
- /etc/security/audit/audit_control
-
- /etc/security/audit/audit_warn
-
- /etc/security/audit/*/*/*
-
- /etc/security/passwd_adjunct
-
SEE ALSO
at.1
audit.2
getfauditflags.3
audit.log.5
audit.8
auditd.8
Created by unroff & hp-tools.
© somebody (See intro for details). All Rights Reserved.
Last modified 11/5/97