Apple’s Worldwide Developers Conference to kick off June 10 at 10 a.m. PDT with Keynote address

The Keynote will be available to stream on apple.com, the Apple Developer app, the Apple TV app, and the Apple YouTube channel. On-demand playback will be available after the conclusion of the stream.

You can make a difference in the Apple Support Community!

When you sign up with your Apple ID, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

File Auditing (auditd?) Question

I need to configure file access auditing on several systems. Some running 10.5 and others running 10.6. I need to be a able to loge failed attempts to access specific files and folders, such as /etc/passwd and /etc/shadow, /var/log/audit, etc. How is this performed in OS X?

Mac OS X (10.6.4)

Posted on Oct 11, 2010 10:16 AM

Reply
Question marked as Best reply

Posted on Oct 11, 2010 12:26 PM

AFAIK, it's built-in. Run this in the Terminal app:

*sudo ls -Alh /var/audit/*

If not, check http://images.apple.com/support/security/guides/docs/SnowLeopardSecurity_Configv10.6.pdf which should cover everything you need.
7 replies

Oct 15, 2010 12:40 PM in response to baltwo

Great link, thank you! I now see how to view the /var/audit files. A bit cumbersome but a step in the right direction.

Okay, this is what I need to do. I need to log failed attempts by ANY user when they try to perform something they don't have permissions to perform. For example, if a normal user tries to execute:

$ touch /etc/passwd

The permission denied message needs to be logged, along with the action they tried to perform along with the user name in the /var/audit file. How do I do this?

I understand I need to add events to:

/etc/security/audit_cntrol

But what event class? Basically the event class(es) needs to cover ALL failed commands.

Any ideas?

Oct 15, 2010 1:13 PM in response to baltwo

I didn't see anything specifically related to what I need to do in the document but there are hundreds of events that can be audited per the audit_events file.

Unfortunately what I need to do is part of the minimum requirements per the DoD guidelines for closed areas. I have it working like a charm on my Linux systems. OS X is proving to be much more challenging.

Oct 15, 2010 1:58 PM in response to Cannoli

Hmmm⁄ Been there, done that, but over fifteen years ago, so I'm not familiar with current protocols. I don't know what to tell you. If the security manual can't get you there, then maybe there's something in http://www.commoncriteriaportal.org/files/epfiles/0536a_pdf.pdf If not, contact the DoD reps responsible for the requirements. There's got to be simple ways to get this going, since so many are in the same boat. Good luck.

P.S. Check the manpages for audit_control and audit_user, for starters.

P.P.S. If you find a solution, please post it.

File Auditing (auditd?) Question

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.