auditconfig(1M)
NAME
auditconfig - configure auditing
SYNOPSIS
auditconfig option...
DESCRIPTION
auditconfig provides a command line interface to get and set
kernel audit parameters.
This functionality is available only if the Basic Security
Module (BSM) has been enabled. See bsmconv(1M) for more
information.
OPTIONS
-aconf
Set the non-attributable audit mask from the
audit_control(4) file. For example:
# auditconfig -aconf
Configured non-attributable events.
-audit event sorf retval string
This command constructs an audit record for audit
event event using the process's audit characteristics
containing a text token string. The return token is
constructed from the sorf (success/failure flag) and
the retval (return value). The event is type char*,
the sorf is 0/1 for success/failure, retval is an
errno value, string is type *char. This command is
useful for constructing an audit record with a shell
script. An example of this option:
# auditconfig -audit AUE_ftpd 0 0 "test string"
#
audit record from audit trail:
header,76,2,ftp access,,Fri Dec 08 08:44:02 2000, + 669 msec
subject,abc,root,other,root,other,104449,102336,235 197121 elbow
text,test string
return,success,0
-chkaconf
Checks the configuration of the non-attributable
events set in the kernel against the entries in
audit_control(4). If the runtime class mask of a ker-
nel audit event does not match the configured class
mask, a mismatch is reported.
-chkconf
Check the configuration of kernel audit event to class
mappings. If the runtime class mask of a kernel audit
event does not match the configured class mask, a
mismatch is reported.
-conf Configure kernel audit event to class mappings. Run-
time class mappings are changed to match those in the
audit event to class database file.
-getasid
Prints the audit session ID of the current process.
For example:
# auditconfig -getasid
audit session id = 102336
-getaudit
Returns the audit characteristics of the current pro-
cess.
# auditconfig -getaudit
audit id = abc(666)
process preselection mask = lo(0x1000,0x1000)
terminal id (maj,min,host) = 235,197121,elbow(129.146.89.77)
audit session id = 102336
-getauid
Prints the audit ID of the current process. For exam-
ple:
# auditconfig -getauid
audit id = abc(666)
-getcar
Prints current active root location (anchored from
root at system boot). For example:
# auditconfig -getcar
current active root = /
-getclass event
Display the preselection mask associated with the
specified kernel audit event. event is the kernel
event number or event name.
-getcond
Display the kernel audit condition. The condition
displayed is the literal string auditing meaning
auditing is enabled and turned on (the kernel audit
module is constructing and queuing audit records);
noaudit, meaning auditing is enabled but turned off
(the kernel audit module is not constructing and queu-
ing audit records); disabled, meaning that the audit
module has not been enabled; or nospace, meaning there
is no space for saving audit records. See auditon(2)
and auditd(1M) for further information.
-getestate event
For the specified event (string or event number),
print out classes event has been assigned. For exam-
ple:
# auditconfig -getestate 20
audit class mask for event AUE_REBOOT(20) = 0x800
# auditconfig -getestate AUE_RENAME
audit class mask for event AUE_RENAME(42) = 0x30
-getfsize
Return the maximum audit file size in bytes and the
current size of the audit file in bytes.
-getkaudit
Get audit characteristics of machine. For example:
# auditconfig -getkaudit
audit id = unknown(-2)
process preselection mask = lo,na(0x1400,0x1400)
terminal id (maj,min,host) = 0,0,(0.0.0.0)
audit session id = 0
-getkmask
Get non-attributable pre-selection mask for machine.
For example:
# auditconfig -getkmask
audit flags for non-attributable events = lo,na(0x1400,0x1400)
-getpinfo pid
Display the audit ID, preselection mask, terminal ID,
and audit session ID for the specified process.
-getpolicy
Display the kernel audit policy.
-getcwd
Prints current working directory (anchored from root
at system boot). For example:
# cd /usr/tmp
# auditconfig -getcwd
current working directory = /var/tmp
-getqbufsz
Get audit queue write buffer size. For example:
# auditconfig -getqbufsz
audit queue buffer size (bytes) = 1024
-getqctrl
Get audit queue write buffer size, audit queue hiwater
mark, audit queue lowater mark, audit queue prod
interval (ticks).
# auditconfig -getqctrl
audit queue hiwater mark (records) = 100
audit queue lowater mark (records) = 10
audit queue buffer size (bytes) = 1024
audit queue delay (ticks) = 20
-getqdelay
Get interval at which audit queue is prodded to start
output. For example:
# auditconfig -getqdelay
audit queue delay (ticks) = 20
-getqhiwater
Get high water point in undelivered audit records when
audit generation will block. For example:
# ./auditconfig -getqhiwater
audit queue hiwater mark (records) = 100
-getqlowater
Get low water point in undelivered audit records where
blocked processes will resume. For example:
# auditconfig -getqlowater
audit queue lowater mark (records) = 10
-getstat
Print current audit statistics information. For exam-
ple:
# auditconfig -getstat
gen nona kern aud ctl enq wrtn wblk rblk drop tot mem
910 1 725 184 0 910 910 0 231 0 88 48
-gettid
Print audit terminal ID for current process. For exam-
ple:
# auditconfig -gettid
terminal id (maj,min,host) = 235,197121,elbow(129.146.89.77)
-lsevent
Display the currently configured (runtime) kernel and
user level audit event information.
-lspolicy
Display the kernel audit policies with a description
of each policy.
-setasid session-ID [cmd]
Execute shell or cmd with specified session-ID. For
example:
# ./auditconfig -setasid 2000 /bin/ksh
#
# ./auditconfig -getpinfo 104485
audit id = abc(666)
process preselection mask = lo(0x1000,0x1000)
terminal id (maj,min,host) = 235,197121,elbow(129.146.89.77)
audit session id = 2000
-setaudit audit-ID preselect_flags term-ID session-ID [cmd]
Execute shell or cmd with the specified audit charac-
teristics.
-setauid audit-ID [cmd]
Execute shell or cmd with the specified audit-ID.
-setclass event audit_flag[,audit_flag ...]
Map the kernel event event to the classes specified by
audit_flags. event is an event number or name. An
audit_flag is a two character string representing an
audit class. See audit_control(4) for further informa-
tion.
-setcond [auditing|noaudit|nospace]
Set the kernel audit condition to the condition speci-
fied where condition is the literal string auditing,
indicating auditing should be enabled; noaudit,
indicating auditing should be disabled; or nospace,
which forces a no-space condition. (See -getcond,
above.)
-setfsize size
Set the maximum size of an audit file to size bytes.
When the size limit is reached, the audit file is
closed and another is started.
-setkaudit IP-address_type IP_address
Set IP address of machine to specified values. IP-
address_type is ipv6 or ipv4.
-setkmask audit_flags
Set non-attributes selection flags of machine.
-setpmask pid flags
Set the preselection mask of the specified process.
flags is the ASCII representation of the flags similar
to that in audit_control(4).
-setpolicy [+|-]policy_flag[,policy_flag ...]
Set the kernel audit policy. A policy policy_flag is
literal strings that denotes an audit policy. A prefix
of + adds the policies specified to the current audit
policies. A prefix of - removes the policies specified
from the current audit policies. The following are the
valid policy flag strings (auditconfig -lspolicy also
lists the current valid audit policy flag strings):
all Include all policies.
arge Include the execv(2) system call environment
arguments to the audit record. This information
is not included by default.
argv Include the execv(2) system call parameter argu-
ments to the audit record. This information is
not included by default.
cnt Do not suspend processes when audit resources
are exhausted. Instead, drop audit records and
keep a count of the number of records dropped.
By default, process are suspended until audit
resources become available.
group Include the supplementary group token in audit
records. By default, the group token is not
included.
none Include no policies.
path Add secondary path tokens to audit record. These
are typically the pathnames of dynamically
linked shared libraries or command interpreters
for shell scripts. By default, they are not
included.
public
Audit public files. By default, read-type opera-
tions are not audited for certain files which
meet public characteristics: owned by root,
readable by all, and not writable by all.
trail Include the trailer token in every audit record.
By default, the trailer token is not included.
seq Include the sequence token as part of every
audit record. By default, the sequence token is
not included. The sequence token attaches a
sequence number to every audit record.
-setqbufsz buffer_size
Set the audit queue write buffer size (bytes).
-setqctrl hiwater lowater bufsz interval
Set the audit queue write buffer size (bytes), hiwater
audit record count, lowater audit record count, and
wakeup interval (ticks).
-setqdelay interval
Set the audit queue wakeup interval (ticks). This
determines the interval at which the kernel pokes the
audit queue, to write audit records to the audit
trail.
-setqhiwater hiwater
Set the number of undelivered audit records in the
audit queue at which audit record generation blocks.
-setqlowater lowater
Set the number of undelivered audit records in the
audit queue at which blocked auditing processes
unblock.
-setsmask asid flags
Set the preselection mask of all processes with the
specified audit session ID.
-setstat
Reset audit statistics counters.
-setumask auid flags
Set the preselection mask of all processes with the
specified audit ID.
EXAMPLES
Example 1: Using auditconfig
The following is an example of an auditconfig program:
#
# map kernel audit event number 10 to the "fr" audit class
#
% auditconfig -setclass 10 fr
#
# turn on inclusion of exec arguments in exec audit records
#
% auditconfig -setpolicy +argv
EXIT STATUS
0 Successful completion.
1 An error occurred.
FILES
/etc/security/audit_event
/etc/security/audit_class
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWcsu |
|_____________________________|_____________________________|
| Interface Stability | Evolving |
|_____________________________|_____________________________|
SEE ALSO
auditd(1M), bsmconv(1M), praudit(1M), auditon(2), execv(2),
audit_class(4), audit_control(4), audit_event(4), attri-
butes(5)
Man(1) output converted with
man2html