d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
369cca8bf4
freebsd-dev/contrib/openbsm/bin/auditd/auditd.8
Robert Watson bb97b41819 Vendor import of OpenBSM 1.0 alpha 11, with the following change history 
notes since the last import:

OpenBSM 1.0 alpha 11

- Reclassify certain read/write operations as having no class rather than the
  fr/fw class; our default classes audit intent (open) not operations (read,
  write).
- Introduce AUE_SYSCTL_WRITE event so that BSD/Darwin systems can audit reads
  and writes of sysctls as separate events.  Add additional kernel
  environment and jail events for FreeBSD.
- Break AUDIT_TRIGGER_OPEN_NEW into two events, AUDIT_TRIGGER_ROTATE_USER
  (issued by the user audit(8) tool) and AUDIT_TRIGGER_ROTATE_KERNEL (issued
  by the kernel audit implementation) so that they can be distinguished.
- Disable rate limiting of rotate requests; as the kernel doesn't retransmit
  a dropped request, the log file will otherwise grow indefinitely if the
  trigger is dropped.
- Improve auditd debugging output.
- Fix a number of threading related bugs in audit_control file reading
  routines.
- Add APIs au_poltostr() and au_strtopol() to convert between text
  representations of audit_control policy flags and the flags passed to
  auditon(A_SETPOLICY) and retrieved from auditon(A_GETPOLICY).
- Add API getacpol() to return the 'policy:' entry from audit_control, an
  extension to the Solaris file format to allow specification of policy
  persistent flags.
- Update audump to print the audit_control policy field.
- Update auditd to read the audit_control policy field and set the kernel
  policy to match it when configuring/reconfiguring.  Remove the -s and -h
  arguments as these policies are now set via the configuration file.  If a
  policy line is not found in the configuration file, continue with the
  current default of setting AUDIT_CNT.
- Fix bugs in the parsing of large execve(2) arguments and environmental
  variable tokens; increase maximum parsed argument and variable count.
- configure now detects strlcat(), used by policy-related functions.
- Reference token and record sample files added to test tree.

Obtained from:	TrustedBSD Project
2006-09-21 07:07:33 +00:00

106 lines
3.5 KiB
Groff
Raw Blame History

.\" Copyright (c) 2004 Apple Computer, Inc.
.\" All rights reserved.
.\"
.\" @APPLE_BSD_LICENSE_HEADER_START@
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
.\" from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
.\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
.\" DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
.\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" @APPLE_BSD_LICENSE_HEADER_END@
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#9 $
.\"
.Dd January 24, 2004
.Dt AUDITD 8
.Os
.Sh NAME
.Nm auditd
.Nd audit log management daemon
.Sh SYNOPSIS
.Nm auditd
.Op Fl dhs
.Sh DESCRIPTION
The
.Nm
daemon responds to requests from the audit(1) utility and notifications
from the kernel. It manages the resulting audit log files and specified
log file locations.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl d
Starts the daemon in debug mode - it will not daemonize.
.El
.Pp
The historical
.Fl h
and
.Fl s
flags are now configured using
.Xr audit_control 5
policy flags
.Dv ahlt
and
.Dv cnt ,
and are no longer available as arguments to
.Xr auditd 8 .
.Sh NOTE
.Pp
To assure uninterrupted audit support, the
.Nm auditd
daemon should not be started and stopped manually.
Instead, the
.Xr audit 8
command
should be used to inform the daemon to change state/configuration after altering
the
.Pa audit_control
file.
.Pp
.\" Sending a SIGHUP to a running
.\" .Nm auditd
.\" daemon will force it to exit.
Sending a SIGTERM to a running
.Nm auditd
daemon will force it to exit.
.Sh FILES
.Bl -tag -width "/var/audit" -compact
.It Pa /var/audit
Default directory for storing audit log files.
.El
.Sh SEE ALSO
.Xr audit 8
.Sh AUTHORS
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
Reference in New Issue View Git Blame Copy Permalink