Audit Configuration Packages

This article describes what our audit control installer packages do, and what you can do if something goes wrong.

Introduction

Apple's BSM audit system is controlled by 5 files in the /etc/security directory:

  • audit_class
  • audit_control
  • audit_event
  • audit_user
  • audit_warn

Apple has online manual pages for each of these files. If you want to look at them, in a Terminal window, enter "man" followed my the file name. For example:

$ man audit_class

The audit_control file is the primary file you can change to control what audit data is collected. To help you jump right in, however, we have created multiple packages that will automatically install a new audit_control file that will increase the default auditing level for your computer.

What the installer packages do

The figure below summarizes what each audit package does. In short, it takes four steps:

  1. It makes a backup of the current audit_control file (audit_control_previous)
  2. It installs a new audit_control file
  3. It installs another audit control file (orig_apple_audit_control) for emergency backup
  4. It installs the rollback_audit_config.sh script to rollback to a previous audit_control file in case of an emergency

The files

  • audit_control_previous
  • orig_apple_audit_control
  • rollback_audit_config.sh

are only used for emergency recovery.

Emergency rollback

We have been running high-levels of auditing on our machines since Mac OS 10.3 (Panther!) and have been doing it through 10.4, 10.5, 10.6, 10.7, 10.8, and now 10.9 Mavericks. While we haven't had any problem on our primary machines, we have heard from some people that their machines have frozen after turning on high-level auditing. This is why we've added the emergency recovery files to the installer.

If you have problems, follow these steps:

  1. Restart your machine in single user mode by immediately pressing and holding command-S.  (If your machine is hanging, you may need to hold the power button for several seconds)
  2. As soon as your machine finishes booting, run the rollback_audit_config.sh command
# /etc/security/rollback_audit_config.sh

This command will replace the current audit_control file with the audit_control_previous file. It will then ask if you want to reboot (which you probably should). Everything should return to the way it was before.