On Aug 16, 2007, at 1:54 PM, Todd Heberlein wrote: Does anyone know how (or if it is possible) to automatically identify the name/path of the current BSM audit trail file on Mac OS X?
Sun's SunSHIELD documentation (Feb 2000) mentions the file /etc/security/audit_data includes the PID of the audit daemon and the current audit trail file being used, but Apple doesn't seem to support this.
Thanks,
Todd
Todd,
You won't see any PID for BSM on Mac OS X, but you will find the "auditd" process in the process list and it is *typically* ~ PID 28 (on 10.4), but that is not a guarantee. At boot time, Mac OS X launches multiple daemons under control, but does not guarantee in which order some processes are launched -- hence you will not always have an exact match between PID and services.
Audit Logs (by default) are placed at: /var/audit
The *current* audit log file name ends with ".not_terminated". When the log file is closed, the file name ending is changed to reflect the date/time of the final record as the first part of the name reflects the date/time of the first record.
This is all defined in the audit_control file:
/etc/security/audit_control
This is documented in the Common Criteria Admin Guide in Chapter 6 - "Mac OS X Auditing Administrator's Guide" starting on page 61.
On Page 68 it reads: You can use audit_control with the following parameters:
Parameter Description
dir The directory where audit log files are stored. There may be more than one of these entries. Changes to this entry can only be enacted by restarting the audit system. For more information on how to restart the audit system, see, “audit” on page 63. flags
Specifies which audit event classes are audited for all users. For more information on how to audit events for individual users, see, “audit_user” on page 69.
naflags Contains the audit flags that define what classes of events are audited when an action cannot be attributed to a specific user.
minfree The minimum free space required in the directory audit logs are being written to. When the free space falls below this limit a warning will be issued.
....
Default The following settings appear in the default audit_control file: dir:/var/audit flags:lo,ad,-all,^-fc,^-cl minfree:20 naflags:lo
The flags parameter above specifies the system-wide mask corresponding to login/logout events, administrative events, and all failures except for failures in creating or closing files.
File Location /etc/security/audit_control
-Shawn
|