diff options
author | rwatson <rwatson@FreeBSD.org> | 2006-02-02 10:32:27 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2006-02-02 10:32:27 +0000 |
commit | 53c68f87c6fdd2a8028cd9e0ad579ba47418f6db (patch) | |
tree | b47ff31b0ba52849d8ddf9c4428be66cba065944 /share/man/man4/audit.4 | |
parent | eb02f34f2c48ec83e8e3f501816203f53fe3f8bd (diff) | |
download | FreeBSD-src-53c68f87c6fdd2a8028cd9e0ad579ba47418f6db.zip FreeBSD-src-53c68f87c6fdd2a8028cd9e0ad579ba47418f6db.tar.gz |
Add audit.4 man page, providing basic documentation for configuring the
kernel audit facility, warnings about the experimental nature of this
implementation, and pointers at a large number of other audit related
man pages.
Obtained from: TrustedBSD Project
Diffstat (limited to 'share/man/man4/audit.4')
-rw-r--r-- | share/man/man4/audit.4 | 114 |
1 files changed, 114 insertions, 0 deletions
diff --git a/share/man/man4/audit.4 b/share/man/man4/audit.4 new file mode 100644 index 0000000..85d5e68 --- /dev/null +++ b/share/man/man4/audit.4 @@ -0,0 +1,114 @@ +.\" Copyright (c) 2006 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd February 2, 2006 +.Os +.Dt AUDIT 4 +.Sh NAME +.Nm audit +.Nd Security Event Audit +.Sh SYNOPSIS +.Cd "options AUDIT" +.Sh DESCRIPTION +Security Event Audit is a facility to provide fine-grained, configurable +logging of security-relevant events, and is intended to meet the requirements +of the Common Criteria (CC) Common Access Protection Profile (CAPP) +evaluation. +The +.Fx +audit facility implements the de facto industry standard BSM API, file +formats, and command line interface, first found in the Solaris operating +system. +Information on the user space implementation can be found in +.Xr libbsm 3 +man page. +.Pp +Audit support is enabled at boot, if present in the kernel, using an +.Xr rc.conf 5 +flag. +The audit daemon, +.Xr auditd 8 , +is responsible for configuring the kernel to perform audit, pushing +configuration data from the various audit configuration files into the +kernel. +.Sh SEE ALSO +.Xr auditreduce 1 , +.Xr praudit 1 , +.Xr audit 2 , +.Xr auditctl 2 , +.Xr auditon 2 , +.Xr getaudit 2 , +.Xr getauid 2 , +.Xr setaudit 2 , +.Xr setauid 2 , +.Xr libbsm 3 , +.Xr audit.log 5 , +.Xr audit_class 5 , +.Xr audit_control 5 , +.Xr audit_event 5 , +.Xr audit_user 5 , +.Xr audit_warn 5 , +.Xr event_code 5 , +.Xr rc.conf 5 , +.Xr audit 8 , +.Xr auditd 8 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Pp +This manual page was written by +.An Robert Watson Aq rwatson@FreeBSD.org . +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. +.Pp +Support for kernel audit first appeared in +.Fx 6.1 . +.Sh BUGS +The audit facility in +.Fx +is considered experimental, and production deployment should occur only after +careful consideration of the risks of deploying experimental software. +.Pp +The +.Fx +kernel does not fully validate that audit records submitted by user +applications are syntactically valid BSM; as submission of records is limited +to privileged processes, this is not a critical bug. +.Pp +Instrumentation of auditable events in the kernel is not complete, as some +system calls do not generate audit records, or generate audit records with +incomplete argument information. +.Pp +Mandatory Access Control (MAC) labels, as provided by the +.Xr mac 4 +facility, are not audited as part of records involving MAC decisions. |