All configuration files for security audit are found in /etc/security. The following files must be present before the audit daemon is started:
audit_class - Contains the definitions of the audit classes.
audit_control - Controls aspects of the audit subsystem, such as default audit classes, minimum disk space to leave on the audit log volume, etc.
audit_event - Defines the kernel audit events. These map, mostly, to system calls.
audit_user - The events to audit for individual users. Users not appearing here will be subject to the default configuration in the control configuration file.
audit_warn - A shell script used by auditd to generate warning messages in exceptional situations, such as when space for audit records is running low.
The configuration file syntax is rather arcane, albeit easy to work with. One thing an administrator must be leery about is overriding system defaults. This could create potential openings for audit data to not be collected properly.
The audit subsystem will accept both the short name and long name with regards to configuration syntax. A syntax map has been included below.
The following list contains all supported audit classes:
all - all - All audit flags
set.
ad - administrative -
Administrative actions performed on the system as a whole.
ap - application - Application
defined action.
cl - file_close - Audit calls to
the close system call.
ex - exec - Audit program or
utility execution.
fa - file_attr_acc - Audit the
access of object attributes such as stat(1), pathconf(2) and
similar events.
fc - file_creation - Audit events
where a file is created as a result.
fd - file_deletion - Audit events
where file deletion occurs.
fm - file_attr_mod - Audit events
where file attribute modification occurs, such as chown(8), chflags(1), flock(2), etc.
fr - file_read - Audit events in
which data is read, files are opened for reading, etc.
fw - file_write - Audit events in
which data is written, files are written or modified, etc.
io - ioctl - Audit use of the ioctl(2) system
call.
ip - ipc - Audit various forms of
Inter-Process Communication, including POSIX pipes and System V IPC operations.
lo - login_logout - Audit login(1) and logout(1) events
occurring on the system.
na - non_attrib - Audit
non-attributable events.
no - no_class - Null class used
to disable event auditing.
nt - network - Audit events
related to network actions, such as connect(2) and accept(2).
ot - other - Audit miscellaneous
events.
pc - process - Audit process
operations, such as exec(3) and exit(3).
Following is a list of all supported audit prefixes:
none - Audit both the success or failure of an event. For example, just listing a class will result in the auditing of both success and failure.
+ - Audit successful events only.
- - Audit failed events only.
Warning: Using the
allclass with either the positive or negative prefix can generate a large amount of data at an extremely rapid rate.
Extra prefixes used to modify the default configuration values:
^- - Disable auditing of failed events.
^+ - Enable auditing of successful events.
^ - Disable auditing of both successful and failed events.
In most cases, administrators will need to modify only two files when configuring the audit system: audit_control and audit_user. The first controls system-wide audit paramaters and defaults for both attributable and non-attributable events. The second may be used to tune the level and nature of auditing for individual users.
The audit_control file contains some basic defaults that the administrator may wish to modify. Perhaps even set some new ones. Viewing the contents of this file, we see the following:
dir:/var/audit flags:lo minfree:20 naflags:lo
The dir option is used to set the default directory where
audit logs are stored. Audit is frequently configured so that audit logs are stored on a
dedicated file system, so as to prevent interference between the audit subsystem and
other subsystems when file systems become full.
The flags option is used to set the system-wide defaults.
The current setting, lo configures the auditing of all login(1) and logout(1) actions. A
more complex example, lo,ad,-all,^-fa,^-fc,^-cl audits all
system login(1) and logout(1) actions, all
administrator actions, all failed events in the system, and finally disables auditing of
failed attempts for fa, fc, and
cl. Even though the -all turned
on the auditing of all failed attempts, the ^- prefix will
override that for the latter options.
Notice that the previous paragraph shows the file is read from left to right. As such, values further on the right side may override a previous value specified to its left.
The minfree option defines the minimum percentage of free
space for audit file systems. This relates to the file system where audit logs are
stored. For example, if the dir specifies /var/audit and minfree is set to twenty
(20), warning messages will be generated when the /var file
system grows to eighty (80) percent full.
The naflags option specifies audit classes to be audited
for non-attributed events -- that is, events for which there is no authenticated
user.
The audit_user file permits the administrator to determine which classes of audit events should be logged for which system users.
The following is the defaults currently placed in the audit_user file:
root:lo:no audit:fc:no
Notice how the default is to audit all cases of login/logout and disable auditing of all other actions for root. This configuration also audits all file creation and disables all other auditing for the audit user. While event auditing does not require a special user exist, some configurations, specifically environments making use of MAC, may require it.
This, and other documents, can be downloaded from ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/.
For questions about FreeBSD, read the documentation before contacting <questions@FreeBSD.org>.
For questions about this documentation, e-mail <doc@FreeBSD.org>.