The audit_control file contains audit control information used by auditd(1M). Each line consists of a title and a string, separated by a colon. There are no restrictions on the order of lines in the file, although some lines must appear only once. A line beginning with '#' is a comment.
Directory definition lines list the directories to be used when creating audit files, in the order in which they are to be used. The format of a directory line is:
directory-name is where the audit files will be created. Any valid writable directory can be specified.
Unless explicitly told to look elsewhere, the auditreduce(1M) command by default looks for the audit trail in all directories named according to the following convention on the server on which the command is run. Therefore, this naming convention is recommended for directories in which audit-trail files are stored:
server is the name of the audit server on which the audit files are stored. The optional .number is used when an audit server exports two or more audit partitions. For example, the audit server trustworthy exports /etc/security/audit/trustworthy and /etc/security/audit/trustworthy.1. For the current host to use both of these partitions, these lines must be added to the local audit_control file:
Audit data may be stored in directories with other names at the discretion of the site. Some sites may want to store each host's audit data in a separate subdirectory. The audit structure used will depend on each individual site. If the defined audit structure differs from /etc/security/audit/*/files, auditreduce needs to be given the new location of the audit trail explicitly as decribed in auditreduce(1M).
The audit threshold line specifies the percentage of free space that must be present in the file system containing the current audit file. The format of the threshold line is:
where percentage is indicates the amount of free space required. If free space falls below this threshold, the audit daemon auditd(1M) invokes the shell script audit_warn(1M). If no threshold is specified, the default is 0%.
The audit flags line specifies the default system audit value. This value is combined with the user audit value read from audit_user(4) to form the process audit state. The user audit value overrides the system audit value. The format of a flags line is:
where audit-flags specifies which event classes are to be audited. The character string representation of audit-flags contains a series of flag names, each one identifying a single audit class, separated by commas. A name preceded by minus (-) means that the class should be audited for failure only; successful attempts are not audited. A name preceded by plus (+) means that the class should be audited for success only; failing attempts are not audited. Without a prefix, the name indicates that the class is to be audited for both successes and failures. The special string all indicates that all events should be audited: –all indicates that all failed attempts are to be audited; +all, all successful attempts. The prefixes ‸, ‸-, and ‸+ turn off flags specified earlier in the string (‸- and ‸+ for failing and successful attempts, ‸ for both). They are typically used to reset flags.
The non-attributable flags line is similar to the flags line, but this one contain the audit flags that define what classes of events are audited when an action cannot be attributed to a specific user. The format of a naflags line is:
The flags are separated by commas, with no spaces.
The following table lists the predefined audit classes:
short name long name Short description no no_class Null value for turning off event preselection fr Read of data, open for reading, etc. fw Write of data, open for writing, etc. fa Access of object attributes: stat, pathconf, etc. fm Change of object attributes: chown, flock, etc. fc Creation of object fd Deletion of object cl close(2) system call pc Process operations nt Network events: bind, connect, accept, etc. ip System V IPC operations na Non-attributable events ad Administrative actions: mount, exportfs, etc. lo Login and logout events ap Application auditing ax server ss system state as system-wide administration aa administration ao administration ps start/stop pm modify io ioctl(2) system call fn fcntl(2) system call ot Everything else all All flags set
Note that the classes are configurable; see audit_class(4).
Here is a sample /etc/security/audit_control file for the machine eggplant:
dir: /etc/security/jedgar/eggplant dir: /etc/security/jedgar.aux/eggplant # # Last-ditch audit file system when jedgar fills up. # dir: /etc/security/global/eggplant minfree: 20 flags: lo,ad,-all,‸-fm naflags: lo,ad
This identifies server jedgar with two file systems normally used for audit data, another server global used only when jedgar fills up or breaks, and specifies that the warning script is run when the file systems are 80% filled. It also specifies that all logins, administrative operations are to be audited (whether or not they succeed), and that failures of all types except failures to access object attributes are to be audited.
By default, the machine halts when audit files run out of disk space. The Trusted Solaris environment adds programming interfaces, audit tokens, audit classes, and audit events.
By default, auditing is enabled in the Trusted Solaris environment. See Trusted Solaris Audit Administration for how to disable and enable auditing.