diff options
Diffstat (limited to 'static/freebsd/man4/audit.4 3.html')
| -rw-r--r-- | static/freebsd/man4/audit.4 3.html | 122 |
1 files changed, 122 insertions, 0 deletions
diff --git a/static/freebsd/man4/audit.4 3.html b/static/freebsd/man4/audit.4 3.html new file mode 100644 index 00000000..7ef98101 --- /dev/null +++ b/static/freebsd/man4/audit.4 3.html @@ -0,0 +1,122 @@ +<table class="head"> + <tr> + <td class="head-ltitle">AUDIT(4)</td> + <td class="head-vol">Device Drivers Manual</td> + <td class="head-rtitle">AUDIT(4)</td> + </tr> +</table> +<div class="manual-text"> +<section class="Sh"> +<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1> +<p class="Pp"><code class="Nm">audit</code> — <span class="Nd">Security + Event Audit</span></p> +</section> +<section class="Sh"> +<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1> +<p class="Pp"><code class="Cd">options AUDIT</code></p> +</section> +<section class="Sh"> +<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1> +<p class="Pp">Security Event Audit is a facility to provide fine-grained, + configurable logging of security-relevant events, and is intended to meet + the requirements of the Common Criteria (CC) Common Access Protection + Profile (CAPP) evaluation. The <span class="Ux">FreeBSD</span> + <code class="Nm">audit</code> facility implements the de facto industry + standard BSM API, file formats, and command line interface, first found in + the Solaris operating system. Information on the user space implementation + can be found in <a class="Xr">libbsm(3)</a>.</p> +<p class="Pp">Audit support is enabled at boot, if present in the kernel, using + an <a class="Xr">rc.conf(5)</a> flag. The audit daemon, + <a class="Xr">auditd(8)</a>, is responsible for configuring the kernel to + perform <code class="Nm">audit</code>, pushing configuration data from the + various audit configuration files into the kernel.</p> +<section class="Ss"> +<h2 class="Ss" id="Audit_Special_Device"><a class="permalink" href="#Audit_Special_Device">Audit + Special Device</a></h2> +<p class="Pp">The kernel <code class="Nm">audit</code> facility provides a + special device, <span class="Pa">/dev/audit</span>, which is used by + <a class="Xr">auditd(8)</a> to monitor for <code class="Nm">audit</code> + events, such as requests to cycle the log, low disk space conditions, and + requests to terminate auditing. This device is not intended for use by + applications.</p> +</section> +<section class="Ss"> +<h2 class="Ss" id="Audit_Pipe_Special_Devices"><a class="permalink" href="#Audit_Pipe_Special_Devices">Audit + Pipe Special Devices</a></h2> +<p class="Pp">Audit pipe special devices, discussed in + <a class="Xr">auditpipe(4)</a>, provide a configurable live tracking + mechanism to allow applications to tee the audit trail, as well as to + configure custom preselection parameters to track users and events in a + fine-grained manner.</p> +</section> +<section class="Ss"> +<h2 class="Ss" id="DTrace_Audit_Provider"><a class="permalink" href="#DTrace_Audit_Provider">DTrace + Audit Provider</a></h2> +<p class="Pp">The DTrace Audit Provider, <a class="Xr">dtaudit(4)</a>, allows D + scripts to enable capture of in-kernel audit records for kernel audit event + types, and then process their contents during audit commit or BSM + generation.</p> +</section> +</section> +<section class="Sh"> +<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE + ALSO</a></h1> +<p class="Pp"><a class="Xr">auditreduce(1)</a>, <a class="Xr">praudit(1)</a>, + <a class="Xr">audit(2)</a>, <a class="Xr">auditctl(2)</a>, + <a class="Xr">auditon(2)</a>, <a class="Xr">getaudit(2)</a>, + <a class="Xr">getauid(2)</a>, <a class="Xr">poll(2)</a>, + <a class="Xr">select(2)</a>, <a class="Xr">setaudit(2)</a>, + <a class="Xr">setauid(2)</a>, <a class="Xr">libbsm(3)</a>, + <a class="Xr">auditpipe(4)</a>, <a class="Xr">dtaudit(4)</a>, + <a class="Xr">audit.log(5)</a>, <a class="Xr">audit_class(5)</a>, + <a class="Xr">audit_control(5)</a>, <a class="Xr">audit_event(5)</a>, + <a class="Xr">audit_user(5)</a>, <a class="Xr">audit_warn(5)</a>, + <a class="Xr">rc.conf(5)</a>, <a class="Xr">audit(8)</a>, + <a class="Xr">auditd(8)</a>, <a class="Xr">auditdistd(8)</a></p> +</section> +<section class="Sh"> +<h1 class="Sh" id="HISTORY"><a class="permalink" href="#HISTORY">HISTORY</a></h1> +<p class="Pp">The OpenBSM implementation was created by McAfee Research, the + security division of McAfee Inc., under contract to Apple Computer Inc. in + 2004. It was subsequently adopted by the TrustedBSD Project as the + foundation for the OpenBSM distribution.</p> +<p class="Pp">Support for kernel <code class="Nm">audit</code> first appeared in + <span class="Ux">FreeBSD 6.2</span>.</p> +</section> +<section class="Sh"> +<h1 class="Sh" id="AUTHORS"><a class="permalink" href="#AUTHORS">AUTHORS</a></h1> +<p class="Pp">This software was created by McAfee Research, the security + research division of McAfee, Inc., under contract to Apple Computer Inc. + Additional authors include <span class="An">Wayne Salamon</span>, + <span class="An">Robert Watson</span>, and SPARTA Inc.</p> +<p class="Pp">The Basic Security Module (BSM) interface to audit records and + audit event stream format were defined by Sun Microsystems.</p> +<p class="Pp">This manual page was written by <span class="An">Robert + Watson</span> + <<a class="Mt" href="mailto:rwatson@FreeBSD.org">rwatson@FreeBSD.org</a>>.</p> +</section> +<section class="Sh"> +<h1 class="Sh" id="BUGS"><a class="permalink" href="#BUGS">BUGS</a></h1> +<p class="Pp">The <span class="Ux">FreeBSD</span> kernel does not fully validate + that audit records submitted by user applications are syntactically valid + BSM; as submission of records is limited to privileged processes, this is + not a critical bug.</p> +<p class="Pp">Instrumentation of auditable events in the kernel is not complete, + as some system calls do not generate audit records, or generate audit + records with incomplete argument information.</p> +<p class="Pp">Mandatory Access Control (MAC) labels, as provided by the + <a class="Xr">mac(4)</a> facility, are not audited as part of records + involving MAC decisions.</p> +<p class="Pp">Currently the <code class="Nm">audit</code> syscalls are not + supported for jailed processes. However, if a process has + <code class="Nm">audit</code> session state associated with it, audit + records will still be produced and a zonename token containing the jail's ID + or name will be present in the audit records.</p> +</section> +</div> +<table class="foot"> + <tr> + <td class="foot-date">April 28, 2019</td> + <td class="foot-os">FreeBSD 15.0</td> + </tr> +</table> |