17.4 Audit Configuration

All configuration files for security audit are found in /etc/security. The following files must be present before the audit daemon is started:

Warning: Audit configuration files should be edited and maintained carefully, as errors in configuration may result in improper logging of events.

17.4.1 Event Selection Expressions

Selection expressions are used in a number of places in the audit configuration to determine which events should be audited. Expressions contain a list of event classes to match, each with a prefix indicating whether matching records should be accepted or ignored, and optionally to indicate if the entry is intended to match successful or failed operations. Selection expressions are evaluated from left to right, and two expressions are combined by appending one onto the other.

The following list contains the default audit event classes present in audit_class:

These audit event classes may be customized by modifying the audit_class and audit_event configuration files.

Each audit class in the list is combined with a prefix indicating whether successful/failed operations are matched, and whether the entry is adding or removing matching for the class and type.

The following example selection string selects both successful and failed login/logout events, but only successful execution events:

lo,+ex

17.4.2 Configuration Files

In most cases, administrators will need to modify only two files when configuring the audit system: audit_control and audit_user. The first controls system-wide audit properties and policies; the second may be used to fine-tune auditing by user.

17.4.2.1 The audit_control File

The audit_control file specifies a number of defaults for the audit subsystem. Viewing the contents of this file, we see the following:

dir:/var/audit
flags:lo
minfree:20
naflags:lo
policy:cnt
filesz:0

The dir option is used to set one or more directories where audit logs will be stored. If more than one directory entry appears, they will be used in order as they fill. It is common to configure audit so that audit logs are stored on a dedicated file system, in order to prevent interference between the audit subsystem and other subsystems if the file system fills.

The flags field sets the system-wide default preselection mask for attributable events. In the example above, successful and failed login and logout events are audited for all users.

The minfree option defines the minimum percentage of free space for the file system where the audit trail is stored. When this threshold is exceeded, a warning will be generated. The above example sets the minimum free space to twenty percent.

The naflags option specifies audit classes to be audited for non-attributed events, such as the login process and system daemons.

The policy option specifies a comma-separated list of policy flags controlling various aspects of audit behavior. The default cnt flag indicates that the system should continue running despite an auditing failure (this flag is highly recommended). Another commonly used flag is argv, which causes command line arguments to the execve(2) system call to be audited as part of command execution.

The filesz option specifies the maximum size in bytes to allow an audit trail file to grow to before automatically terminating and rotating the trail file. The default, 0, disables automatic log rotation. If the requested file size is non-zero and below the minimum 512k, it will be ignored and a log message will be generated.

17.4.2.2 The audit_user File

The audit_user file permits the administrator to specify further audit requirements for specific users. Each line configures auditing for a user via two fields: the first is the alwaysaudit field, which specifies a set of events that should always be audited for the user, and the second is the neveraudit field, which specifies a set of events that should never be audited for the user.

The following example audit_user file audits login/logout events and successful command execution for the root user, and audits file creation and successful command execution for the www user. If used with the example audit_control file above, the lo entry for root is redundant, and login/logout events will also be audited for the www user.

root:lo,+ex:no
www:fc,+ex:no