All configuration files for security audit are found in
/etc/security
. The following
files must be present before the audit daemon is started:
audit_class
- Contains the
definitions of the audit classes.
audit_control
- Controls aspects
of the audit subsystem, such as default audit classes,
minimum disk space to leave on the audit log volume,
etc.
audit_event
- Defines the kernel
audit events. These map, mostly, to system calls.
audit_user
- The events to audit
for individual users. Users not appearing here will be
subject to the default configuration in the control
configuration file.
audit_warn
- A shell script
used by auditd to generate warning messages in
exceptional situations, such as when space for audit
records is running low.
The configuration file syntax is rather arcane, albeit easy to work with. One thing an administrator must be leery about is overriding system defaults. This could create potential openings for audit data to not be collected properly.
The audit subsystem will accept both the short name and long name with regards to configuration syntax. A syntax map has been included below.
The following list contains all supported audit classes:
all
- all
- All
audit flags set.
ad
- administrative
- Administrative actions performed on the system as a
whole.
ap
- application
-
Application defined action.
cl
- file_close
-
Audit calls to the close
system
call.
ex
- exec
- Audit
program or utility execution.
fa
- file_attr_acc
- Audit the access of object attributes such as
stat(1), pathconf(2) and similar events.
fc
- file_creation
- Audit events where a file is created as a result.
fd
- file_deletion
- Audit events where file deletion occurs.
fm
- file_attr_mod
- Audit events where file attribute modification occurs,
such as chown(8), chflags(1), flock(2),
etc.
fr
- file_read
- Audit events in which data is read, files are opened for
reading, etc.
fw
- file_write
-
Audit events in which data is written, files are written
or modified, etc.
io
- ioctl
- Audit
use of the ioctl(2) system call.
ip
- ipc
- Audit
various forms of Inter-Process Communication, including POSIX
pipes and System V IPC operations.
lo
- login_logout
-
Audit login(1) and logout(1) events occurring
on the system.
na
- non_attrib
-
Audit non-attributable events.
no
- no_class
-
Null class used to disable event auditing.
nt
- network
-
Audit events related to network actions, such as
connect(2) and accept(2).
ot
- other
-
Audit miscellaneous events.
pc
- process
-
Audit process operations, such as exec(3) and
exit(3).
Following is a list of all supported audit prefixes:
none
- Audit both the success
or failure of an event. For example, just listing a
class will result in the auditing of both success and
failure.
+
- Audit successful events
only.
-
- Audit failed events
only.
Using the all
class with either the
positive or negative prefix can generate a large amount
of data at an extremely rapid rate.
Extra prefixes used to modify the default configuration values:
^- - Disable auditing of failed events.
^+ - Enable auditing of successful events.
^ - Disable auditing of both successful and failed events.
In most cases, administrators will need to modify only two files
when configuring the audit system: audit_control
and audit_user
. The first controls system-wide
audit paramaters and defaults for both attributable and
non-attributable events. The second may be used to tune the level
and nature of auditing for individual users.
The audit_control
file contains some basic
defaults that the administrator may wish to modify. Perhaps
even set some new ones. Viewing the contents of this file,
we see the following:
dir:/var/audit flags:lo minfree:20 naflags:lo
The dir
option is used to set the default
directory where audit logs are stored. Audit is frequently
configured so that audit logs are stored on a dedicated file
system, so as to prevent interference between the audit
subsystem and other subsystems when file systems become full.
The flags
option is used to set the
system-wide defaults. The current setting, lo
configures the auditing of all login(1) and logout(1)
actions. A more complex example,
lo,ad,-all,^-fa,^-fc,^-cl
audits all system
login(1) and logout(1) actions, all administrator
actions, all failed events in the system, and finally disables
auditing of failed attempts for fa
,
fc
, and cl
. Even though
the -all
turned on the auditing of all
failed attempts, the ^-
prefix will override
that for the latter options.
Notice that the previous paragraph shows the file is read from left to right. As such, values further on the right side may override a previous value specified to its left.
The minfree
option defines the minimum
percentage of free space for audit file systems. This
relates to the file system where audit logs are stored.
For example, if the dir
specifies
/var/audit
and
minfree
is set to twenty (20), warning
messages will be generated when the
/var
file system grows
to eighty (80) percent full.
The naflags
option specifies audit
classes to be audited for non-attributed events -
that is, events for which there is no authenticated user.
The audit_user
file permits the
administrator to determine which classes of audit events
should be logged for which system users.
The following is the defaults currently placed in
the audit_user
file:
root:lo:no audit:fc:no
Notice how the default is to audit all cases of
login
/logout
and disable auditing of all other actions for
root
. This configuration
also audits all file creation and disables all
other auditing for the audit
user. While event auditing does not require a special
user exist, some configurations, specifically environments
making use of MAC, may require it.
All FreeBSD documents are available for download at https://download.freebsd.org/ftp/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.