auditon(2)
NAME
auditon - manipulate auditing
SYNOPSIS
cc [ flag ... ] file ... -lbsm -lsocket -lnsl -lintl [ library ... ]
#include <sys/param.h>
#include <bsm/audit.h>
int auditon(int cmd, caddr_t data, int length);
DESCRIPTION
The auditon() function performs various audit subsystem con-
trol operations. The cmd argument designates the particular
audit control command. The data argument is a pointer to
command-specific data. The length argument is the length in
bytes of the command-specific data.
The following commands are supported:
A_GETCOND
Return the system audit on/off/disabled condition in
the integer long pointed to by data. The following
values may be returned:
AUC_AUDITING
Auditing has been turned on.
AUC_DISABLED
Auditing system has not been enabled.
AUC_NOAUDIT
Auditing has been turned off.
AUC_NOSPACE
Auditing has blocked due to lack of space in
audit partition.
A_SETCOND
Set the system's audit on/off condition to the value
in the integer long pointed to by data. The BSM
audit module must be enabled by bsmconv(1M) before
auditing can be turned on. The following audit states
may be set:
AUC_AUDITING
Turns on audit record generation.
AUC_NOAUDIT
Turns off audit record generation.
A_GETCLASS
Return the event to class mapping for the designated
audit event. The data argument points to the
au_evclass_map structure containing the event number.
The preselection class mask is returned in the same
structure.
A_SETCLASS
Set the event class preselection mask for the desig-
nated audit event. The data argument points to the
au_evclass_map structure containing the event number
and class mask.
A_GETKMASK
Return the kernel preselection mask in the au_mask
structure pointed to by data. This is the mask used to
preselect non-attributable audit events.
A_SETKMASK
Set the kernel preselection mask. The data argument
points to the au_mask structure containing the class
mask. This is the mask used to preselect non-
attributable audit events.
A_GETPINFO
Return the audit ID, preselection mask, terminal ID
and audit session ID of the specified process in the
auditpinfo structure pointed to by data.
Note that A_GETPINFO may fail if the termial ID con-
tains a network address longer than 32 bits. In this
case, the A_GETPINFO_ADDR command should be used.
A_GETPINFO_ADDR
Returns the audit ID, preselection mask, terminal ID
and audit session ID of the specified process in the
auditpinfo_addr structure pointed to by data.
A_SETPMASK
Set the preselection mask of the specified process.
The data argument points to the auditpinfo structure
containing the process ID and the preselection mask.
The other fields of the structure are ignored and
should be set to NULL.
A_SETUMASK
Set the preselection mask for all processes with the
specified audit ID. The data argument points to the
auditinfo structure containing the audit ID and the
preselection mask. The other fields of the structure
are ignored and should be set to NULL.
A_SETSMASK
Set the preselection mask for all processes with the
specified audit session ID. The data argument points
to the auditinfo structure containing the audit ses-
sion ID and the preselection mask. The other fields of
the structure are ignored and should be set to NULL.
A_GETQCTRL
Return the kernel audit queue control parameters.
These control the high and low water marks of the
number of audit records allowed in the audit queue.
The high water mark is the maximum allowed number of
undelivered audit records. The low water mark deter-
mines when threads blocked on the queue are wakened.
Another parameter controls the size of the data buffer
used by auditsvc(2) to write data to the audit trail.
There is also a parameter that specifies a maximum
delay before data is attempted to be written to the
audit trail. The audit queue parameters are returned
in the au_qctrl structure pointed to bydata.
A_SETQCTRL
Set the kernel audit queue control parameters as
described above in the A_GETQCTRL command. The data
argument points to the au_qctrl structure containing
the audit queue control parameters. The default and
maximum values 'A/B' for the audit queue control
parameters are:
high water
100/10000 (audit records)
low water
10/1024 (audit records)
output buffer size
1024/1048576 (bytes)
delay 20/20000 (hundredths second)
A_GETCWD
Return the current working directory as kept by the
audit subsystem. This is a path anchored on the real
root, rather than on the active root. The data argu-
ment points to a buffer into which the path is copied.
The length argument is the length of the buffer.
A_GETCAR
Return the current active root as kept by the audit
subsystem. This path may be used to anchor an absolute
path for a path token generated by an application. The
data argument points to a buffer into which the path
is copied. The length argument is the length of the
buffer.
A_GETSTAT
Return the system audit statistics in the audit_stat
structure pointed to by data.
A_SETSTAT
Reset system audit statistics values. The kernel
statistics value is reset if the corresponding field
in the statistics structure pointed to by the data
argument is CLEAR_VAL. Otherwise, the value is not
changed.
A_SETFSIZE
Set the maximum size of an audit trail file. When the
audit file reaches the designated size, it is closed
and a new file started. If the maximum size is unset,
the audit trail file generated by auditsvc() will grow
to the size of the file system. The data argument
points to the au_fstat_t structure containing the max-
imum audit file size in bytes. The size can not be set
less than 0x80000 bytes.
A_GETFSIZE
Return the maximum audit file size and current file
size in the au_fstat_t structure pointed to by the
data argument.
A_GETPOLICY
Return the audit policy flags in the integer long
pointed to by data.
A_SETPOLICY
Set the audit policy flags to the values in the
integer long pointed to by data. The following policy
flags are recognized:
AUDIT_CNT
Do not suspend processes when audit storage is
full or inaccessible. The default action is to
suspend processes until storage becomes avail-
able.
AUDIT_AHLT
Halt the machine when a non-attributable audit
record can not be delivered. The default action
is to count the number of events that could not
be recorded.
AUDIT_ARGV
Include in the audit record the argument list
for a member of the exec(2) family of functions.
The default action is not to include this infor-
mation.
AUDIT_ARGE
Include the environment variables for the
execv(2) function in the audit record. The
default action is not to include this informa-
tion.
AUDIT_SEQ
Add a sequence token to each audit record. The
default action is not to include it.
AUDIT_TRAIL
Append a trailer token to each audit record.
The default action is not to include it.
AUDIT_GROUP
Include the supplementary groups list in audit
records. The default action is not to include
it.
AUDIT_PATH
Include secondary paths in audit records. Exam-
ples of secondary paths are dynamically loaded
shared library modules and the command shell
path for executable scripts. The default action
is to include only the primary path from the
system call.
RETURN VALUES
Upon successful completion, auditon() returns 0. Otherwise,
-1 is returned and errno is set to indicate the error.
ERRORS
The auditon() function will fail if:
E2BIG The length field for the command was too small to hold
the returned value.
EFAULT
The copy of data to/from the kernel failed.
EINVAL
One of the arguments was illegal, or BSM has not been
installed.
EPERM The process's effective user ID is not superuser.
USAGE
The auditon() function can be invoked only by processes with
superuser privileges.
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Interface Stability | Stable |
|_____________________________|_____________________________|
| MT-Level | MT-Safe |
|_____________________________|_____________________________|
SEE ALSO
auditconfig(1M), auditd(1M), bsmconv(1M), audit(2),
auditsvc(2), exec(2), audit.log(4), attributes(5)
NOTES
The functionality described in this man page is available
only if the Basic Security Module (BSM) has been enabled.
See bsmconv(1M) for more information.
Man(1) output converted with
man2html