72a600a7a1
According to the upstream man page (which we don't install), none of libauditd's symbols are intended to be public. Also, I can't find any evidence for a port that uses libauditd. Therefore, we should treat it like other such libraries and use PRIVATELIB. Reported by: phk Reviewed by: cem, emaste MFC after: 2 weeks
140 lines
4.0 KiB
Groff
140 lines
4.0 KiB
Groff
.\" Copyright (c) 2004 Apple Inc.
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\"
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. Neither the name of Apple Inc. ("Apple") nor the names of
|
|
.\" its contributors may be used to endorse or promote products derived
|
|
.\" from this software without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
|
|
.\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
|
.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
.\" DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
|
|
.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
|
|
.\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
.\"
|
|
.Dd April 18, 2020
|
|
.Dt AUDITD 8
|
|
.Os
|
|
.Sh NAME
|
|
.Nm auditd
|
|
.Nd audit log management daemon
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Op Fl d | l
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm
|
|
daemon responds to requests from the
|
|
.Xr audit 8
|
|
utility and notifications
|
|
from the kernel.
|
|
It manages the resulting audit log files and specified
|
|
log file locations.
|
|
.Pp
|
|
The options are as follows:
|
|
.Bl -tag -width indent
|
|
.It Fl d
|
|
Starts the daemon in debug mode \[em] it will not daemonize.
|
|
.It Fl l
|
|
This option is for when
|
|
.Nm
|
|
is configured to start on-demand using
|
|
.Xr launchd 8 .
|
|
.El
|
|
.Pp
|
|
Optionally, the audit review group "audit" may be created.
|
|
Non-privileged
|
|
users that are members of this group may read the audit trail log files.
|
|
.Sh NOTE
|
|
To assure uninterrupted audit support, the
|
|
.Nm
|
|
daemon should not be started and stopped manually.
|
|
Instead, the
|
|
.Xr audit 8
|
|
command
|
|
should be used to inform the daemon to change state/configuration after altering
|
|
the
|
|
.Pa audit_control
|
|
file.
|
|
.Pp
|
|
If
|
|
.Nm
|
|
is started on-demand by
|
|
.Xr launchd 8
|
|
then auditing should only be started and stopped with
|
|
.Xr audit 8 .
|
|
.Pp
|
|
On Mac OS X,
|
|
.Nm
|
|
uses the
|
|
.Xr asl 3
|
|
API for writing system log messages.
|
|
Therefore, only the audit administrator
|
|
and members of the audit review group will be able to read the
|
|
system log entries.
|
|
.Sh FILES
|
|
.Bl -tag -width ".Pa /etc/security" -compact
|
|
.It Pa /var/audit
|
|
Default directory for storing audit log files.
|
|
.Pp
|
|
.It Pa /etc/security
|
|
The directory containing the auditing configuration files
|
|
.Xr audit_class 5 ,
|
|
.Xr audit_control 5 ,
|
|
.Xr audit_event 5 ,
|
|
and
|
|
.Xr audit_warn 5 .
|
|
.El
|
|
.Sh COMPATIBILITY
|
|
The historical
|
|
.Fl h
|
|
and
|
|
.Fl s
|
|
flags are now configured using
|
|
.Xr audit_control 5
|
|
policy flags
|
|
.Cm ahlt
|
|
and
|
|
.Cm cnt ,
|
|
and are no longer available as arguments to
|
|
.Nm .
|
|
.Sh SEE ALSO
|
|
.Xr asl 3 ,
|
|
.Xr audit 4 ,
|
|
.Xr audit_class 5 ,
|
|
.Xr audit_control 5 ,
|
|
.Xr audit_event 5 ,
|
|
.Xr audit_warn 5 ,
|
|
.Xr audit 8 ,
|
|
.Xr auditdistd 8 ,
|
|
.Xr launchd 8 (Mac OS X)
|
|
.Sh HISTORY
|
|
The OpenBSM implementation was created by McAfee Research, the security
|
|
division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
|
|
It was subsequently adopted by the TrustedBSD Project as the foundation for
|
|
the OpenBSM distribution.
|
|
.Sh AUTHORS
|
|
.An -nosplit
|
|
This software was created by McAfee Research, the security research division
|
|
of McAfee, Inc., under contract to Apple Computer Inc.
|
|
Additional authors include
|
|
.An Wayne Salamon ,
|
|
.An Robert Watson ,
|
|
and SPARTA Inc.
|
|
.Pp
|
|
The Basic Security Module (BSM) interface to audit records and audit event
|
|
stream format were defined by Sun Microsystems.
|