Tools −> Audit Explorer −> Documentation −> Manual −> Audit Configurations
Audit Configurations
The BSM audit system is turned on by default in the Mac operating system (starting with Snow Leopard). Unfortunately, it is configured to record the bare minimum of information. To make your auditing system useful, you must tell the operating system to collect more information. The primary file on your computer that controls the auditing system is:
/etc/security/audit_control
You need to be running with root privilege to even look at this file. For a detailed description of the different fields in this file, look at Apple's manual page. From the Terminal program, enter the command:
$ man audit_control
BSM is highly configurable, and there are many configurations that can help BSM produce useful information. To get you started, we have provided a suggested audit_control file. Simple download the file from the Download menu:
Download −> Audit configurations −> Suggested
Now use the Terminal program to install the suggested audit_control file and tell the auditing facility to use the new file. (We also recommend you back up your original audit_control file).
$ sudo cp /etc/security/audit_control audit_control.backup
$ sudo cp suggested_audit_control /etc/security/audit_control
$ sudo audit -s
Video tutorial available at: Configure audit_control

@NetSquared_USA  copyright Net Squared, Inc., 2008-2013