17.5. Event Audit Administration

Events written by the kernel audit subsystem cannot be altered or read in plain text. Data is stored and accessed in a method similar to that of ktrace(1) and kdump(1), that is, they may only be viewed by dumping them using the praudit command; audit trails may be reduced using the auditreduce command, which selects records from an audit trail based on properties of interest, such as the user, time of the event, and type of operation.

For example, the praudit utility will dump the entire contents of a specified audit log in plain text. To dump an audit log in its entirety, use:

# praudit /var/audit/AUDITFILE

Where AUDITFILE is the audit log of viewing choice. Since audit logs may contain enormous amounts of data, an administrator may prefer to select records for specific users. This is made possible with the following command, where trhodes is the user of choice:

# auditreduce -e trhodes /var/audit/AUDITFILE | praudit

This will select all audit records produced by the user trhodes stored in the AUDITFILE file.

There are several other options available for reading audit records, see the aforementioned command's manual pages for a more in depth explanation.

17.5.1. Rotating Audit Log Files

Due to log reliability requirements, audit trails are written to only by the kernel, and managed only by auditd. Administrators should not attempt to use newsyslog.conf(5) or other tools to directly rotate audit logs. Instead, the audit management tool should be used to shut down auditing, reconfigure the audit system, and perform log rotation. The following command causes the audit daemon to create a new audit log and signal the kernel to switch to using the new log. The old log will be terminated and renamed, at which point it may then be manipulated by the administrator.

# audit -n

警告:

If the auditd daemon is not currently running, the previous command will fail and an error message will be produced.

Adding the following line to /etc/crontab will force the rotation every twelve hours from cron(8):

*     */12       *       *       *       root    /usr/sbin/audit -n

The change will take effect once you have saved the new /etc/crontab.

17.5.2. Delegating Audit Review Rights

By default, only the root user has the right to read system audit logs. However, that right may be delegated to members of the audit group, as the audit directory and audit trail files are assigned to that group, and made group-readable. As the ability to track audit log contents provides significant insight into the behavior of users and processes, it is recommended that the delegation of audit review rights be performed with caution.

All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/

Questions that are not answered by the documentation may be sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.