How does "audit" get turned on?

Whitehill

Registered
This morning I found an alert from SuperDuper! that last night's backup had failed. The logs didn't reveal much info, so I ran it again manually - and it failed again in exactly the same way. Comparing logs, both backups died trying to copy the same file from /var/audit/. I deleted the offending file, reran the backup, and it completed normally.

After some poking around the internet, the impression I get is that auditing is not on by default - something has to turn it on, typically when something is installed or updated with administrator authorization. The oldest file in /var/audit/ is dated 5/28. From then to now, I have installed Etrecheck and updated Parallels Desktop. There were no problems (observed by me) until late last night, early this morning.

Is it true auditing is usually OFF? Why would I want it ON? Is "audit -t" the correct way to shut it down?
 
Not sure, all I found was this Apple Darwin Developer page on Audit. Maybe this could help in your search, Good Luck!

Besides shouldn't the problem be with ditto that most backup programs use?

Plus when I checked my /var/audit/ it was not normally visible to my administrator account. So maybe a check of permissions might be warranted if your folder was accessible.
 
Plus when I checked my /var/audit/ it was not normally visible to my administrator account. So maybe a check of permissions might be warranted if your folder was accessible.

I went there via Terminal after "sudo bash". As for "ditto", does Time Machine use it? TM did not report any problems during that period.

For other reasons, I had to restart this morning, so I took the opportunity to boot to recovery and repair my startup disk and permissions. I did not see any weird problems, but who knows?
 
Back
Top