Apple’s Worldwide Developers Conference to kick off June 10 at 10 a.m. PDT with Keynote address

The Keynote will be available to stream on apple.com, the Apple Developer app, the Apple TV app, and the Apple YouTube channel. On-demand playback will be available after the conclusion of the stream.

You can make a difference in the Apple Support Community!

When you sign up with your Apple ID, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Cannoli Author

Level 1

0 points

File Auditing (auditd?) Question

I need to configure file access auditing on several systems. Some running 10.5 and others running 10.6. I need to be a able to loge failed attempts to access specific files and folders, such as /etc/passwd and /etc/shadow, /var/log/audit, etc. How is this performed in OS X?

Mac OS X (10.6.4)

Posted on Oct 11, 2010 10:16 AM

Best reply

baltwo

Level 9

62,362 points

Posted on Oct 11, 2010 12:26 PM

AFAIK, it's built-in. Run this in the Terminal app:

*sudo ls -Alh /var/audit/*

If not, check http://images.apple.com/support/security/guides/docs/SnowLeopardSecurity_Configv10.6.pdf which should cover everything you need.

View in context

7 replies

Best reply

baltwo

Level 9

62,362 points

Oct 11, 2010 12:26 PM in response to Cannoli

Cannoli Author

Level 1

0 points

Oct 15, 2010 12:40 PM in response to baltwo

Great link, thank you! I now see how to view the /var/audit files. A bit cumbersome but a step in the right direction.

Okay, this is what I need to do. I need to log failed attempts by ANY user when they try to perform something they don't have permissions to perform. For example, if a normal user tries to execute:

$ touch /etc/passwd

The permission denied message needs to be logged, along with the action they tried to perform along with the user name in the /var/audit file. How do I do this?

I understand I need to add events to:

/etc/security/audit_cntrol

But what event class? Basically the event class(es) needs to cover ALL failed commands.

Any ideas?

baltwo

Level 9

62,362 points

Oct 15, 2010 12:51 PM in response to Cannoli

Sorry, I can't help with that. If the security manual doesn't describe it, then check the manpages for the various commands.

BTW, IMO, too much big brother stuff going on here. 😉

Cannoli Author

Level 1

0 points

Oct 15, 2010 1:13 PM in response to baltwo

I didn't see anything specifically related to what I need to do in the document but there are hundreds of events that can be audited per the audit_events file.

Unfortunately what I need to do is part of the minimum requirements per the DoD guidelines for closed areas. I have it working like a charm on my Linux systems. OS X is proving to be much more challenging.

baltwo

Level 9

62,362 points

Oct 15, 2010 1:58 PM in response to Cannoli

Hmmm⁄ Been there, done that, but over fifteen years ago, so I'm not familiar with current protocols. I don't know what to tell you. If the security manual can't get you there, then maybe there's something in http://www.commoncriteriaportal.org/files/epfiles/0536a_pdf.pdf If not, contact the DoD reps responsible for the requirements. There's got to be simple ways to get this going, since so many are in the same boat. Good luck.

P.S. Check the manpages for audit_control and audit_user, for starters.

P.P.S. If you find a solution, please post it.

Oct 15, 2010 2:53 PM in response to Cannoli

You've said the magic words. Please talk to your site security officer. When working with your officer, additional materials are available [here|http://www.apple.com/support/security/guides> and [here|http://www.apple.com/business/solutions/it/government.html]; these are the current Apple and the US NSA materials for Mac OS X.

Oct 17, 2010 4:55 PM in response to Cannoli

You may also wish to join Apple's fed-talk mailing list.

File Auditing (auditd?) Question