This is an archive of past FreeBSD releases; it's part of the FreeBSD Documentation Archive.

16.4. Audit Configuration

16.4. Audit Configuration

All configuration files for security audit are found in /etc/security. The following files must be present before the audit daemon is started:

16.4.1. Audit File Syntax

The configuration file syntax is rather arcane, albeit easy to work with. One thing an administrator must be leery about is overriding system defaults. This could create potential openings for audit data to not be collected properly.

The audit subsystem will accept both the short name and long name with regards to configuration syntax. A syntax map has been included below.

The following list contains all supported audit classes:

  • all - all - All audit flags set.

  • ad - administrative - Administrative actions performed on the system as a whole.

  • ap - application - Application defined action.

  • cl - file_close - Audit calls to the close system call.

  • ex - exec - Audit program or utility execution.

  • fa - file_attr_acc - Audit the access of object attributes such as stat(1), pathconf(2) and similar events.

  • fc - file_creation - Audit events where a file is created as a result.

  • fd - file_deletion - Audit events where file deletion occurs.

  • fm - file_attr_mod - Audit events where file attribute modification occurs, such as chown(8), chflags(1), flock(2), etc.

  • fr - file_read - Audit events in which data is read, files are opened for reading, etc.

  • fw - file_write - Audit events in which data is written, files are written or modified, etc.

  • io - ioctl - Audit use of the ioctl(2) system call.

  • ip - ipc - Audit various forms of Inter-Process Communication, including POSIX pipes and System V IPC operations.

  • lo - login_logout - Audit login(1) and logout(1) events occurring on the system.

  • na - non_attrib - Audit non-attributable events.

  • no - no_class - Null class used to disable event auditing.

  • nt - network - Audit events related to network actions, such as connect(2) and accept(2).

  • ot - other - Audit miscellaneous events.

  • pc - process - Audit process operations, such as exec(3) and exit(3).

Following is a list of all supported audit prefixes:

  • none - Audit both the success or failure of an event. For example, just listing a class will result in the auditing of both success and failure.

  • + - Audit successful events only.

  • - - Audit failed events only.


Using the all class with either the positive or negative prefix can generate a large amount of data at an extremely rapid rate.

Extra prefixes used to modify the default configuration values:

  • ^- - Disable auditing of failed events.

  • ^+ - Enable auditing of successful events.

  • ^ - Disable auditing of both successful and failed events.

16.4.2. Configuration Files

In most cases, administrators will need to modify only two files when configuring the audit system: audit_control and audit_user. The first controls system-wide audit paramaters and defaults for both attributable and non-attributable events. The second may be used to tune the level and nature of auditing for individual users. The audit_control File

The audit_control file contains some basic defaults that the administrator may wish to modify. Perhaps even set some new ones. Viewing the contents of this file, we see the following:


The dir option is used to set the default directory where audit logs are stored. Audit is frequently configured so that audit logs are stored on a dedicated file system, so as to prevent interference between the audit subsystem and other subsystems when file systems become full.

The flags option is used to set the system-wide defaults. The current setting, lo configures the auditing of all login(1) and logout(1) actions. A more complex example, lo,ad,-all,^-fa,^-fc,^-cl audits all system login(1) and logout(1) actions, all administrator actions, all failed events in the system, and finally disables auditing of failed attempts for fa, fc, and cl. Even though the -all turned on the auditing of all failed attempts, the ^- prefix will override that for the latter options.

Notice that the previous paragraph shows the file is read from left to right. As such, values further on the right side may override a previous value specified to its left.

The minfree option defines the minimum percentage of free space for audit file systems. This relates to the file system where audit logs are stored. For example, if the dir specifies /var/audit and minfree is set to twenty (20), warning messages will be generated when the /var file system grows to eighty (80) percent full.

The naflags option specifies audit classes to be audited for non-attributed events - that is, events for which there is no authenticated user. The audit_user File

The audit_user file permits the administrator to determine which classes of audit events should be logged for which system users.

The following is the defaults currently placed in the audit_user file:


Notice how the default is to audit all cases of login/logout and disable auditing of all other actions for root. This configuration also audits all file creation and disables all other auditing for the audit user. While event auditing does not require a special user exist, some configurations, specifically environments making use of MAC, may require it.

All FreeBSD documents are available for download at

Questions that are not answered by the documentation may be sent to <>.
Send questions about this document to <>.