16.4 Audit Configuration

All configuration files for security audit are found in /etc/security. The following files must be present before the audit daemon is started:

16.4.1 Audit File Syntax

The configuration file syntax is rather arcane, albeit easy to work with. One thing an administrator must be leery about is overriding system defaults. This could create potential openings for audit data to not be collected properly.

The audit subsystem will accept both the short name and long name with regards to configuration syntax. A syntax map has been included below.

The following list contains all supported audit classes:

Following is a list of all supported audit prefixes:

Warning: Using the all class with either the positive or negative prefix can generate a large amount of data at an extremely rapid rate.

Extra prefixes used to modify the default configuration values:

16.4.2 Configuration Files

In most cases, administrators will need to modify only two files when configuring the audit system: audit_control and audit_user. The first controls system-wide audit paramaters and defaults for both attributable and non-attributable events. The second may be used to tune the level and nature of auditing for individual users.

16.4.2.1 The audit_control File

The audit_control file contains some basic defaults that the administrator may wish to modify. Perhaps even set some new ones. Viewing the contents of this file, we see the following:

dir:/var/audit
flags:lo
minfree:20
naflags:lo

The dir option is used to set the default directory where audit logs are stored. Audit is frequently configured so that audit logs are stored on a dedicated file system, so as to prevent interference between the audit subsystem and other subsystems when file systems become full.

The flags option is used to set the system-wide defaults. The current setting, lo configures the auditing of all login(1) and logout(1) actions. A more complex example, lo,ad,-all,^-fa,^-fc,^-cl audits all system login(1) and logout(1) actions, all administrator actions, all failed events in the system, and finally disables auditing of failed attempts for fa, fc, and cl. Even though the -all turned on the auditing of all failed attempts, the ^- prefix will override that for the latter options.

Notice that the previous paragraph shows the file is read from left to right. As such, values further on the right side may override a previous value specified to its left.

The minfree option defines the minimum percentage of free space for audit file systems. This relates to the file system where audit logs are stored. For example, if the dir specifies /var/audit and minfree is set to twenty (20), warning messages will be generated when the /var file system grows to eighty (80) percent full.

The naflags option specifies audit classes to be audited for non-attributed events -- that is, events for which there is no authenticated user.

16.4.2.2 The audit_user File

The audit_user file permits the administrator to determine which classes of audit events should be logged for which system users.

The following is the defaults currently placed in the audit_user file:

root:lo:no
audit:fc:no

Notice how the default is to audit all cases of login/logout and disable auditing of all other actions for root. This configuration also audits all file creation and disables all other auditing for the audit user. While event auditing does not require a special user exist, some configurations, specifically environments making use of MAC, may require it.

This, and other documents, can be downloaded from ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/.

For questions about FreeBSD, read the documentation before contacting <[email protected]>.
For questions about this documentation, e-mail <[email protected]>.