Events written by the kernel audit subsystem cannot
be altered or read in plain text. Data is stored and accessed
in a method similar to that of ktrace(1) and kdump(1),
that is, they may only be viewed by dumping them using the
praudit
command; audit trails may be reduced
using the auditreduce
command, which selects
records from an audit trail based on properties of interest, such
as the user, time of the event, and type of operation.
For example, the praudit
utility will dump the
entire contents of a specified audit log in plain text. To dump an
audit log in its entirety, use:
#
praudit /var/audit/AUDITFILE
Where AUDITFILE
is the audit log
of viewing choice. Since audit logs may contain enormous
amounts of data, an administrator may prefer to select records
for specific users. This is made possible with the following
command, where trhodes
is the user of
choice:
#
auditreduce -e trhodes /var/audit/AUDITFILE | praudit
This will select all audit records produced by the user
trhodes
stored in the
AUDITFILE
file.
There are several other options available for reading audit records, see the aforementioned command's manual pages for a more in depth explanation.
Due to log reliability requirements, audit trails
are written to only by the kernel, and managed only by
auditd
. Administrators should not
attempt to use newsyslog.conf(5) or other tools to
directly rotate audit logs. Instead, the audit
management tool should be used to shut down auditing,
reconfigure the audit system, and perform log rotation.
The following command causes the audit daemon to create a
new audit log and signal the kernel to switch to using the
new log. The old log will be terminated and renamed, at
which point it may then be manipulated by the administrator.
#
audit -n
If the auditd
daemon is not currently
running, the previous command will fail and an error message
will be produced.
Adding the following line to
/etc/crontab
will force the rotation
every twelve hours from cron(8):
* */12 * * * root /usr/sbin/audit -n
The change will take effect once you have saved the
new /etc/crontab
.
By default, only the root user has the right to read system audit
logs. However, that right may be delegated to members of the
audit
group, as the audit directory and audit
trail files are assigned to that group, and made group-readable. As
the ability to track audit log contents provides significant insight
into the behavior of users and processes, it is recommended that the
delegation of audit review rights be performed with caution.
All FreeBSD documents are available for download at https://download.freebsd.org/ftp/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.