diff options
author | rwatson <rwatson@FreeBSD.org> | 2006-09-21 07:07:33 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2006-09-21 07:07:33 +0000 |
commit | 3fc61fcaeb6c4f73a668795461e276064f449f38 (patch) | |
tree | e89d92d2294a63485849fba4ed404c2f99207ca7 /contrib/openbsm/man | |
parent | 24713adf4396d925450ece7ee61082d0bed8b75a (diff) | |
download | FreeBSD-src-3fc61fcaeb6c4f73a668795461e276064f449f38.zip FreeBSD-src-3fc61fcaeb6c4f73a668795461e276064f449f38.tar.gz |
Vendor import of OpenBSM 1.0 alpha 11, with the following change history
notes since the last import:
OpenBSM 1.0 alpha 11
- Reclassify certain read/write operations as having no class rather than the
fr/fw class; our default classes audit intent (open) not operations (read,
write).
- Introduce AUE_SYSCTL_WRITE event so that BSD/Darwin systems can audit reads
and writes of sysctls as separate events. Add additional kernel
environment and jail events for FreeBSD.
- Break AUDIT_TRIGGER_OPEN_NEW into two events, AUDIT_TRIGGER_ROTATE_USER
(issued by the user audit(8) tool) and AUDIT_TRIGGER_ROTATE_KERNEL (issued
by the kernel audit implementation) so that they can be distinguished.
- Disable rate limiting of rotate requests; as the kernel doesn't retransmit
a dropped request, the log file will otherwise grow indefinitely if the
trigger is dropped.
- Improve auditd debugging output.
- Fix a number of threading related bugs in audit_control file reading
routines.
- Add APIs au_poltostr() and au_strtopol() to convert between text
representations of audit_control policy flags and the flags passed to
auditon(A_SETPOLICY) and retrieved from auditon(A_GETPOLICY).
- Add API getacpol() to return the 'policy:' entry from audit_control, an
extension to the Solaris file format to allow specification of policy
persistent flags.
- Update audump to print the audit_control policy field.
- Update auditd to read the audit_control policy field and set the kernel
policy to match it when configuring/reconfiguring. Remove the -s and -h
arguments as these policies are now set via the configuration file. If a
policy line is not found in the configuration file, continue with the
current default of setting AUDIT_CNT.
- Fix bugs in the parsing of large execve(2) arguments and environmental
variable tokens; increase maximum parsed argument and variable count.
- configure now detects strlcat(), used by policy-related functions.
- Reference token and record sample files added to test tree.
Obtained from: TrustedBSD Project
Diffstat (limited to 'contrib/openbsm/man')
-rw-r--r-- | contrib/openbsm/man/audit_control.5 | 58 | ||||
-rw-r--r-- | contrib/openbsm/man/auditon.2 | 4 |
2 files changed, 59 insertions, 3 deletions
diff --git a/contrib/openbsm/man/audit_control.5 b/contrib/openbsm/man/audit_control.5 index dd39afc..edd38bb 100644 --- a/contrib/openbsm/man/audit_control.5 +++ b/contrib/openbsm/man/audit_control.5 @@ -25,7 +25,7 @@ .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#9 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#11 $ .\" .Dd January 4, 2006 .Dt AUDIT_CONTROL 5 @@ -63,6 +63,9 @@ an action cannot be attributed to a specific user. The minimum free space required on the file system audit logs are being written to. When the free space falls below this limit a warning will be issued. Not currently used as the value of 20 percent is chosen by the kernel. +.It Va policy +A list of global audit policy flags specifying various behaviors, such as +fail stop, auditing of paths and arguments, etc. .El .Sh AUDIT FLAGS Audit flags are a comma-delimited list of audit classes as defined in the @@ -86,6 +89,53 @@ Do not record successful events .It ^- Do not record failed events .El +.Sh AUDIT POLICY FLAGS +The policy flags field is a comma-delimited list of policy flags from the +following list: +.Pp +.Bl -tag -width zonename -compact -offset indent +.It cnt +Allow processes to continue running even though events are not being audited. +If not set, processes will be suspended when the audit store space is +exhausted. +Currently, this is not a recoverable state. +.It ahlt +Fail stop the system if unable to audit an event--this consists of first +draining pending records to disk, and then halting the operating system. +.It argv +Audit command line arguments to +.Xr execve 2 . +.It arge +Audit environmental variable arguments to +.Xr execve 2 . +.It seq +Include a unique audit sequence number token in generated audit records (not +implemented on FreeBSD or Darwin). +.It group +Include supplementary groups list in generated audit records (not implemented +on FreeBSD or Darwin; supplementary groups are never included in records on +these systems). +.It trail +Append a trailer token to each audit record (not implemented on FreeBSD or +Darwin; trailers are always included in records on these systems). +.It path +Include secondary file paths in audit records (not implemented on FreeBSD or +Darwin; secondary paths are never included in records on these systems). +.It zonename +Include a zone ID token with each audit record (not implemented on FreeBSD or +Darwin; FreeBSD audit records do not currently include the jail ID or name.) +.It perzone +Enable auditing for each local zone (not implemented on FreeBSD or Darwin; on +FreeBSD, audit records are collected from all jails and placed in a single +global trail, and only limited audit controls are permitted within a jail.) +.El +.Pp +It is recommended that installations set the +.Dv cnt +flag but not +.Dv ahlt +flag unless it is intended that audit logs exceeding available disk space +halt the system. .Sh DEFAULT The following settings appear in the default .Nm @@ -95,12 +145,18 @@ dir:/var/audit flags:lo minfree:20 naflags:lo +policy:cnt .Ed .Pp The .Va flags parameter above specifies the system-wide mask corresponding to login/logout events. +The +.Va policy +parameter specifies that the system should neither fail stop nor suspend +processes when the audit store fills. +will be audited. .Sh FILES .Bl -tag -width "/etc/security/audit_control" -compact .It Pa /etc/security/audit_control diff --git a/contrib/openbsm/man/auditon.2 b/contrib/openbsm/man/auditon.2 index 9dedbba..04eb775 100644 --- a/contrib/openbsm/man/auditon.2 +++ b/contrib/openbsm/man/auditon.2 @@ -25,7 +25,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#7 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#8 $ .\" .Dd April 19, 2005 .Dt AUDITON 2 @@ -192,7 +192,7 @@ structure. The field will be set to the maximum audit log file size. A value of 0 indicates no limit to the size. The -.Ft af_filesz +.Ft af_currsz will be set to the current audit log file size. .It Dv A_GETCWD .\" [COMMENTED OUT]: Valid description, not yet implemented. |