Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Cannoli
Cannoli Author
User level: Level 1
0 points

File Auditing (auditd?) Question

I need to configure file access auditing on several systems. Some running 10.5 and others running 10.6. I need to be a able to loge failed attempts to access specific files and folders, such as /etc/passwd and /etc/shadow, /var/log/audit, etc. How is this performed in OS X?

Mac OS X (10.6.4)

Posted on Oct 11, 2010 10:16 AM

Reply
Question marked as Best reply
User profile for user: baltwo
baltwo
User level: Level 9
62,362 points

Posted on Oct 11, 2010 12:26 PM

AFAIK, it's built-in. Run this in the Terminal app:

*sudo ls -Alh /var/audit/*

If not, check http://images.apple.com/support/security/guides/docs/SnowLeopardSecurity_Configv10.6.pdf which should cover everything you need.
View in context
7 replies
User profile for user: Cannoli
Cannoli Author
User level: Level 1
0 points

Oct 15, 2010 12:40 PM in response to baltwo

Great link, thank you! I now see how to view the /var/audit files. A bit cumbersome but a step in the right direction.

Okay, this is what I need to do. I need to log failed attempts by ANY user when they try to perform something they don't have permissions to perform. For example, if a normal user tries to execute:

$ touch /etc/passwd

The permission denied message needs to be logged, along with the action they tried to perform along with the user name in the /var/audit file. How do I do this?

I understand I need to add events to:

/etc/security/audit_cntrol

But what event class? Basically the event class(es) needs to cover ALL failed commands.

Any ideas?
Reply
User profile for user: Cannoli
Cannoli Author
User level: Level 1
0 points

Oct 15, 2010 1:13 PM in response to baltwo

I didn't see anything specifically related to what I need to do in the document but there are hundreds of events that can be audited per the audit_events file.

Unfortunately what I need to do is part of the minimum requirements per the DoD guidelines for closed areas. I have it working like a charm on my Linux systems. OS X is proving to be much more challenging.
Reply
User profile for user: baltwo
baltwo
User level: Level 9
62,362 points

Oct 15, 2010 1:58 PM in response to Cannoli

Hmmm⁄ Been there, done that, but over fifteen years ago, so I'm not familiar with current protocols. I don't know what to tell you. If the security manual can't get you there, then maybe there's something in http://www.commoncriteriaportal.org/files/epfiles/0536a_pdf.pdf If not, contact the DoD reps responsible for the requirements. There's got to be simple ways to get this going, since so many are in the same boat. Good luck.

P.S. Check the manpages for audit_control and audit_user, for starters.

P.P.S. If you find a solution, please post it.
Reply

File Auditing (auditd?) Question

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up