Configuring Your Audit Trails
Before you can analyze a detailed audit trail of your computers activities, you need to direct your auditing system to collect detailed records. The primary file that controls auditing on your computer is /etc/security/audit_control. You will need to modify (or repalce) this file.
Backup Your Current File
The first thing you should do is back up your current audit_control file. For example, from the Terminal app, issue a command like:
$ sudo cp /etc/security/audit_control audit_control.backup
Next, take one of the two following paths:
- Download and install sample configuration file
- Manually edit the audit trail file
Approach 1: Download Sample Configuration File
We provide a suggested audit_control file. Simple download the appropriate file for your operating system from the Download menu. Select the appropriate configuration file for your operating system.
Download −> Audit configurations −> Snow Leopard
Download −> Audit configurations −> Lion
Now use the Terminal program to install the suggested audit_control file and tell the auditing facility to use the new file.
$ sudo cp suggested_audit_control /etc/security/audit_control
Approach 2: Manually Edit Configuration File
If you are unable to or prefer not to download and use the audit configuration file from the Downloads menu, you can edit the audit_control file manually.
Because these files are protected files, you will need to escalate to root to make these changes. Below we show how to do this with the Terminal application and using vi text editor (a fairly old school editor):
$ sudo vi /etc/security/audit_control
In the editor you need to change four lines. Two for what is recorded in the audit trail (flags and naflags) and two for managing the audit trail files (filesz and expire-after). Change the values to:
For more information on the audit_configuration, from a Terminal window type:
$ man audit_control
Use the New Audit File
The final step is to have the auditing system use the new audit_configuration file. You can can do this two ways. First, you can reboot your system. If rebooting isn't a problem, this is your best approach because all processes will pick up the new audit configuration.
If you don't want to reboot your machine, you can tell the auditing daemon to just re-read the audit configuration file using the audit command (see below). The drawback of this approach is that currently running processes will not inherit the new audit configuration.
$ sudo audit -s