1.\"-
| 1.\"-
|
| 2.\" Copyright (c) 2008-2009 Apple Inc.
|
2.\" Copyright (c) 2005 Robert N. M. Watson
3.\" Copyright (c) 2005 Tom Rhodes
4.\" Copyright (c) 2005 Wayne J. Salamon
5.\" All rights reserved.
6.\"
7.\" Redistribution and use in source and binary forms, with or without
8.\" modification, are permitted provided that the following conditions
9.\" are met:
10.\" 1. Redistributions of source code must retain the above copyright
11.\" notice, this list of conditions and the following disclaimer.
12.\" 2. Redistributions in binary form must reproduce the above copyright
13.\" notice, this list of conditions and the following disclaimer in the
14.\" documentation and/or other materials provided with the distribution.
15.\"
16.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26.\" SUCH DAMAGE.
27.\"
| 3.\" Copyright (c) 2005 Robert N. M. Watson
4.\" Copyright (c) 2005 Tom Rhodes
5.\" Copyright (c) 2005 Wayne J. Salamon
6.\" All rights reserved.
7.\"
8.\" Redistribution and use in source and binary forms, with or without
9.\" modification, are permitted provided that the following conditions
10.\" are met:
11.\" 1. Redistributions of source code must retain the above copyright
12.\" notice, this list of conditions and the following disclaimer.
13.\" 2. Redistributions in binary form must reproduce the above copyright
14.\" notice, this list of conditions and the following disclaimer in the
15.\" documentation and/or other materials provided with the distribution.
16.\"
17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27.\" SUCH DAMAGE.
28.\"
|
28.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#14 $
| 29.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#15 $
|
29.\"
30.Dd July 10, 2008
31.Dt AUDITON 2
32.Os
33.Sh NAME
34.Nm auditon
35.Nd "configure system audit parameters"
36.Sh SYNOPSIS
37.In bsm/audit.h
38.Ft int
39.Fn auditon "int cmd" "void *data" "u_int length"
40.Sh DESCRIPTION
41The
42.Fn auditon
43system call is used to manipulate various audit control operations.
44The
45.Fa data
46argument
47should point to a structure whose type depends on the command.
48The
49.Fa length
50argument
51specifies the size of
52.Fa *data
53in bytes.
54The
55.Fa cmd
56argument
57may be any of the following:
58.Bl -tag -width ".It Dv A_GETPINFO_ADDR"
59.It Dv A_SETPOLICY
60Set audit policy flags.
61The
62.Fa data
63argument
64must point to a
65.Vt long
66value set to one or more the following audit
67policy control values bitwise OR'ed together:
68.Dv AUDIT_CNT ,
69.Dv AUDIT_AHLT ,
70.Dv AUDIT_ARGV ,
71and
72.Dv AUDIT_ARGE .
73If
74.Dv AUDIT_CNT is set, the system will continue even if it becomes low
75on space and discontinue logging events until the low space condition is
76remedied.
77If it is not set, audited events will block until the low space
78condition is remedied.
79Unaudited events, however, are unaffected.
80If
81.Dv AUDIT_AHLT is set, a
82.Xr panic 9
83if it cannot write an event to the global audit log file.
84If
85.Dv AUDIT_ARGV
86is set, then the argument list passed to the
87.Xr execve 2
88system call will be audited. If
89.Dv AUDIT_ARGE
90is set, then the environment variables passed to the
91.Xr execve 2
92system call will be audited. The default policy is none of the audit policy
93control flags set.
94.It Dv A_SETKAUDIT
95Return
96.Er ENOSYS .
97(Not implemented.)
98.It Dv A_SETKMASK
99Set the kernel preselection masks (success and failure).
100The
101.Fa data
102argument
103must point to a
104.Vt au_mask_t
105structure containing the mask values as defined in
106.In bsm/audit.h .
107These masks are used for non-attributable audit event preselection.
108The field
109.Fa am_success
110specifies which classes of successful audit events are to be logged to the
111audit trail. The field
112.Fa am_failure
113specifies which classes of failed audit events are to be logged. The value of
114both fields is the bitwise OR'ing of the audit event classes specified in
115.Fa bsm/audit.h .
116The various audit classes are described more fully in
117.Xr audit_class 5 .
118.It Dv A_SETQCTRL
119Set kernel audit queue parameters.
120The
121.Fa data
122argument
123must point to a
124.Vt au_qctrl_t
125structure (defined in
126.In bsm/audit.h )
127containing the kernel audit queue control settings:
128.Fa aq_hiwater ,
129.Fa aq_lowater ,
130.Fa aq_bufsz ,
131.Fa aq_delay ,
132and
133.Fa aq_minfree .
134The field
135.Fa aq_hiwater
136defines the maximum number of audit record entries in the queue used to store
137the audit records ready for delivery to disk.
138New records are inserted at the tail of the queue and removed from the head.
139For new records which would exceed the
140high water mark, the calling thread is inserted into the wait queue, waiting
141for the audit queue to have enough space available as defined with the field
142.Fa aq_lowater .
143The field
144.Fa aq_bufsz
145defines the maximum length of the audit record that can be supplied with
146.Xr audit 2 .
147The field
148.Fa aq_delay
149is unused.
150The field
151.Fa aq_minfree
152specifies the minimum amount of free blocks on the disk device used to store
153audit records.
154If the value of free blocks falls below the configured
155minimum amount, the kernel informs the audit daemon about low disk space.
156The value is to be specified in percent of free file system blocks.
157A value of 0 results in a disabling of the check.
158.It Dv A_SETSTAT
159Return
160.Er ENOSYS .
161(Not implemented.)
162.It Dv A_SETUMASK
163Return
164.Er ENOSYS .
165(Not implemented.)
166.It Dv A_SETSMASK
167Return
168.Er ENOSYS .
169(Not implemented.)
170.It Dv A_SETCOND
171Set the current auditing condition.
172The
173.Fa data
174argument
175must point to a
176.Vt long
177value containing the new
178audit condition, one of
179.Dv AUC_AUDITING ,
180.Dv AUC_NOAUDIT ,
181or
182.Dv AUC_DISABLED .
183If
184.Dv AUC_NOAUDIT
185is set, then auditing is temporarily suspended. If
186.Dv AUC_AUDITING
187is set, auditing is resumed. If
188.Dv AUC_DISABLED
189is set, the auditing system will
190shutdown, draining all audit records and closing out the audit trail file.
191.It Dv A_SETCLASS
192Set the event class preselection mask for an audit event.
193The
194.Fa data
195argument
196must point to a
197.Vt au_evclass_map_t
198structure containing the audit event and mask.
199The field
200.Fa ec_number
201is the audit event and
202.Fa ec_class
203is the audit class mask. See
204.Xr audit_event 5
205for more information on audit event to class mapping.
206.It Dv A_SETPMASK
207Set the preselection masks for a process.
208The
209.Fa data
210argument
211must point to a
212.Vt auditpinfo_t
213structure that contains the given process's audit
214preselection masks for both success and failure.
215The field
216.Fa ap_pid
217is the process id of the target process.
218The field
219.Fa ap_mask
220must point to a
221.Fa au_mask_t
222structure which holds the preselection masks as described in the
223.Da A_SETKMASK
224section above.
225.It Dv A_SETFSIZE
226Set the maximum size of the audit log file.
227The
228.Fa data
229argument
230must point to a
231.Vt au_fstat_t
232structure with the
233.Va af_filesz
234field set to the maximum audit log file size.
235A value of 0
236indicates no limit to the size.
237.It Dv A_SETKAUDIT
238Return
239.Er ENOSYS .
240(Not implemented.)
241.It Dv A_GETCLASS
242Return the event to class mapping for the designated audit event.
243The
244.Fa data
245argument
246must point to a
247.Vt au_evclass_map_t
248structure. See the
249.Dv A_SETCLASS
250section above for more information.
251.It Dv A_GETKAUDIT
252Return
253.Er ENOSYS .
254(Not implemented.)
255.It Dv A_GETPINFO
256Return the audit settings for a process.
257The
258.Fa data
259argument
260must point to a
261.Vt auditpinfo_t
262structure which will be set to contain
263.Fa ap_auid
264(the audit ID),
265.Fa ap_mask
266(the preselection mask),
267.Fa ap_termid
268(the terminal ID), and
269.Fa ap_asid
270(the audit session ID)
271of the given target process.
272The process ID of the target process is passed
273into the kernel using the
274.Fa ap_pid
275field.
276See the section
277.Dv A_SETPMASK
278above and
279.Xr getaudit 2
280for more information.
281.It Dv A_GETPINFO_ADDR
282Return the extended audit settings for a process.
283The
284.Fa data
285argument
286must point to a
287.Vt auditpinfo_addr_t
288structure which is similar to the
289.Vt auditpinfo_addr_t
290structure described above.
291The exception is the
292.Fa ap_termid
293(the terminal ID) field which points to a
294.Vt au_tid_addr_t
295structure can hold much a larger terminal address and an address type.
296The process ID of the target process is passed into the kernel using the
297.Fa ap_pid
298field.
299See the section
300.Dv A_SETPMASK
301above and
302.Xr getaudit 2
303for more information.
304.It Dv A_GETKMASK
305Return the current kernel preselection masks.
306The
307.Fa data
308argument
309must point to a
310.Vt au_mask_t
311structure which will be set to
312the current kernel preselection masks for non-attributable events.
313.It Dv A_GETPOLICY
314Return the current audit policy setting.
315The
316.Fa data
317argument
318must point to a
319.Vt long
320value which will be set to
321one of the current audit policy flags.
322The audit policy flags are
323described in the
324.Dv A_SETPOLICY
325section above.
326.It Dv A_GETQCTRL
327Return the current kernel audit queue control parameters.
328The
329.Fa data
330argument
331must point to a
332.Vt au_qctrl_t
333structure which will be set to the current
334kernel audit queue control parameters.
335See the
336.Dv A_SETQCTL
337section above for more information.
338.It Dv A_GETFSIZE
339Returns the maximum size of the audit log file.
340The
341.Fa data
342argument
343must point to a
344.Vt au_fstat_t
345structure.
346The
347.Va af_filesz
348field will be set to the maximum audit log file size.
349A value of 0 indicates no limit to the size.
350The
351.Va af_currsz
352field
353will be set to the current audit log file size.
354.It Dv A_GETCWD
355.\" [COMMENTED OUT]: Valid description, not yet implemented.
356.\" Return the current working directory as stored in the audit subsystem.
357Return
358.Er ENOSYS .
359(Not implemented.)
360.It Dv A_GETCAR
361.\" [COMMENTED OUT]: Valid description, not yet implemented.
362.\"Stores and returns the current active root as stored in the audit
363.\"subsystem.
364Return
365.Er ENOSYS .
366(Not implemented.)
367.It Dv A_GETSTAT
368.\" [COMMENTED OUT]: Valid description, not yet implemented.
369.\"Return the statistics stored in the audit system.
370Return
371.Er ENOSYS .
372(Not implemented.)
373.It Dv A_GETCOND
374Return the current auditing condition.
375The
376.Fa data
377argument
378must point to a
379.Vt long
380value which will be set to
381the current audit condition, one of
382.Dv AUC_AUDITING ,
383.Dv AUC_NOAUDIT
384or
385.Dv AUC_DISABLED .
386See the
387.Dv A_SETCOND
388section above for more information.
389.It Dv A_SENDTRIGGER
390Send a trigger to the audit daemon.
391The
392.Fa data
393argument
394must point to a
395.Vt long
396value set to one of the acceptable
397trigger values:
398.Dv AUDIT_TRIGGER_LOW_SPACE
399(low disk space where the audit log resides),
400.Dv AUDIT_TRIGGER_OPEN_NEW
401(open a new audit log file),
402.Dv AUDIT_TRIGGER_READ_FILE
403(read the
404.Pa audit_control
405file),
406.Dv AUDIT_TRIGGER_CLOSE_AND_DIE
407(close the current log file and exit),
| 30.\"
31.Dd July 10, 2008
32.Dt AUDITON 2
33.Os
34.Sh NAME
35.Nm auditon
36.Nd "configure system audit parameters"
37.Sh SYNOPSIS
38.In bsm/audit.h
39.Ft int
40.Fn auditon "int cmd" "void *data" "u_int length"
41.Sh DESCRIPTION
42The
43.Fn auditon
44system call is used to manipulate various audit control operations.
45The
46.Fa data
47argument
48should point to a structure whose type depends on the command.
49The
50.Fa length
51argument
52specifies the size of
53.Fa *data
54in bytes.
55The
56.Fa cmd
57argument
58may be any of the following:
59.Bl -tag -width ".It Dv A_GETPINFO_ADDR"
60.It Dv A_SETPOLICY
61Set audit policy flags.
62The
63.Fa data
64argument
65must point to a
66.Vt long
67value set to one or more the following audit
68policy control values bitwise OR'ed together:
69.Dv AUDIT_CNT ,
70.Dv AUDIT_AHLT ,
71.Dv AUDIT_ARGV ,
72and
73.Dv AUDIT_ARGE .
74If
75.Dv AUDIT_CNT is set, the system will continue even if it becomes low
76on space and discontinue logging events until the low space condition is
77remedied.
78If it is not set, audited events will block until the low space
79condition is remedied.
80Unaudited events, however, are unaffected.
81If
82.Dv AUDIT_AHLT is set, a
83.Xr panic 9
84if it cannot write an event to the global audit log file.
85If
86.Dv AUDIT_ARGV
87is set, then the argument list passed to the
88.Xr execve 2
89system call will be audited. If
90.Dv AUDIT_ARGE
91is set, then the environment variables passed to the
92.Xr execve 2
93system call will be audited. The default policy is none of the audit policy
94control flags set.
95.It Dv A_SETKAUDIT
96Return
97.Er ENOSYS .
98(Not implemented.)
99.It Dv A_SETKMASK
100Set the kernel preselection masks (success and failure).
101The
102.Fa data
103argument
104must point to a
105.Vt au_mask_t
106structure containing the mask values as defined in
107.In bsm/audit.h .
108These masks are used for non-attributable audit event preselection.
109The field
110.Fa am_success
111specifies which classes of successful audit events are to be logged to the
112audit trail. The field
113.Fa am_failure
114specifies which classes of failed audit events are to be logged. The value of
115both fields is the bitwise OR'ing of the audit event classes specified in
116.Fa bsm/audit.h .
117The various audit classes are described more fully in
118.Xr audit_class 5 .
119.It Dv A_SETQCTRL
120Set kernel audit queue parameters.
121The
122.Fa data
123argument
124must point to a
125.Vt au_qctrl_t
126structure (defined in
127.In bsm/audit.h )
128containing the kernel audit queue control settings:
129.Fa aq_hiwater ,
130.Fa aq_lowater ,
131.Fa aq_bufsz ,
132.Fa aq_delay ,
133and
134.Fa aq_minfree .
135The field
136.Fa aq_hiwater
137defines the maximum number of audit record entries in the queue used to store
138the audit records ready for delivery to disk.
139New records are inserted at the tail of the queue and removed from the head.
140For new records which would exceed the
141high water mark, the calling thread is inserted into the wait queue, waiting
142for the audit queue to have enough space available as defined with the field
143.Fa aq_lowater .
144The field
145.Fa aq_bufsz
146defines the maximum length of the audit record that can be supplied with
147.Xr audit 2 .
148The field
149.Fa aq_delay
150is unused.
151The field
152.Fa aq_minfree
153specifies the minimum amount of free blocks on the disk device used to store
154audit records.
155If the value of free blocks falls below the configured
156minimum amount, the kernel informs the audit daemon about low disk space.
157The value is to be specified in percent of free file system blocks.
158A value of 0 results in a disabling of the check.
159.It Dv A_SETSTAT
160Return
161.Er ENOSYS .
162(Not implemented.)
163.It Dv A_SETUMASK
164Return
165.Er ENOSYS .
166(Not implemented.)
167.It Dv A_SETSMASK
168Return
169.Er ENOSYS .
170(Not implemented.)
171.It Dv A_SETCOND
172Set the current auditing condition.
173The
174.Fa data
175argument
176must point to a
177.Vt long
178value containing the new
179audit condition, one of
180.Dv AUC_AUDITING ,
181.Dv AUC_NOAUDIT ,
182or
183.Dv AUC_DISABLED .
184If
185.Dv AUC_NOAUDIT
186is set, then auditing is temporarily suspended. If
187.Dv AUC_AUDITING
188is set, auditing is resumed. If
189.Dv AUC_DISABLED
190is set, the auditing system will
191shutdown, draining all audit records and closing out the audit trail file.
192.It Dv A_SETCLASS
193Set the event class preselection mask for an audit event.
194The
195.Fa data
196argument
197must point to a
198.Vt au_evclass_map_t
199structure containing the audit event and mask.
200The field
201.Fa ec_number
202is the audit event and
203.Fa ec_class
204is the audit class mask. See
205.Xr audit_event 5
206for more information on audit event to class mapping.
207.It Dv A_SETPMASK
208Set the preselection masks for a process.
209The
210.Fa data
211argument
212must point to a
213.Vt auditpinfo_t
214structure that contains the given process's audit
215preselection masks for both success and failure.
216The field
217.Fa ap_pid
218is the process id of the target process.
219The field
220.Fa ap_mask
221must point to a
222.Fa au_mask_t
223structure which holds the preselection masks as described in the
224.Da A_SETKMASK
225section above.
226.It Dv A_SETFSIZE
227Set the maximum size of the audit log file.
228The
229.Fa data
230argument
231must point to a
232.Vt au_fstat_t
233structure with the
234.Va af_filesz
235field set to the maximum audit log file size.
236A value of 0
237indicates no limit to the size.
238.It Dv A_SETKAUDIT
239Return
240.Er ENOSYS .
241(Not implemented.)
242.It Dv A_GETCLASS
243Return the event to class mapping for the designated audit event.
244The
245.Fa data
246argument
247must point to a
248.Vt au_evclass_map_t
249structure. See the
250.Dv A_SETCLASS
251section above for more information.
252.It Dv A_GETKAUDIT
253Return
254.Er ENOSYS .
255(Not implemented.)
256.It Dv A_GETPINFO
257Return the audit settings for a process.
258The
259.Fa data
260argument
261must point to a
262.Vt auditpinfo_t
263structure which will be set to contain
264.Fa ap_auid
265(the audit ID),
266.Fa ap_mask
267(the preselection mask),
268.Fa ap_termid
269(the terminal ID), and
270.Fa ap_asid
271(the audit session ID)
272of the given target process.
273The process ID of the target process is passed
274into the kernel using the
275.Fa ap_pid
276field.
277See the section
278.Dv A_SETPMASK
279above and
280.Xr getaudit 2
281for more information.
282.It Dv A_GETPINFO_ADDR
283Return the extended audit settings for a process.
284The
285.Fa data
286argument
287must point to a
288.Vt auditpinfo_addr_t
289structure which is similar to the
290.Vt auditpinfo_addr_t
291structure described above.
292The exception is the
293.Fa ap_termid
294(the terminal ID) field which points to a
295.Vt au_tid_addr_t
296structure can hold much a larger terminal address and an address type.
297The process ID of the target process is passed into the kernel using the
298.Fa ap_pid
299field.
300See the section
301.Dv A_SETPMASK
302above and
303.Xr getaudit 2
304for more information.
305.It Dv A_GETKMASK
306Return the current kernel preselection masks.
307The
308.Fa data
309argument
310must point to a
311.Vt au_mask_t
312structure which will be set to
313the current kernel preselection masks for non-attributable events.
314.It Dv A_GETPOLICY
315Return the current audit policy setting.
316The
317.Fa data
318argument
319must point to a
320.Vt long
321value which will be set to
322one of the current audit policy flags.
323The audit policy flags are
324described in the
325.Dv A_SETPOLICY
326section above.
327.It Dv A_GETQCTRL
328Return the current kernel audit queue control parameters.
329The
330.Fa data
331argument
332must point to a
333.Vt au_qctrl_t
334structure which will be set to the current
335kernel audit queue control parameters.
336See the
337.Dv A_SETQCTL
338section above for more information.
339.It Dv A_GETFSIZE
340Returns the maximum size of the audit log file.
341The
342.Fa data
343argument
344must point to a
345.Vt au_fstat_t
346structure.
347The
348.Va af_filesz
349field will be set to the maximum audit log file size.
350A value of 0 indicates no limit to the size.
351The
352.Va af_currsz
353field
354will be set to the current audit log file size.
355.It Dv A_GETCWD
356.\" [COMMENTED OUT]: Valid description, not yet implemented.
357.\" Return the current working directory as stored in the audit subsystem.
358Return
359.Er ENOSYS .
360(Not implemented.)
361.It Dv A_GETCAR
362.\" [COMMENTED OUT]: Valid description, not yet implemented.
363.\"Stores and returns the current active root as stored in the audit
364.\"subsystem.
365Return
366.Er ENOSYS .
367(Not implemented.)
368.It Dv A_GETSTAT
369.\" [COMMENTED OUT]: Valid description, not yet implemented.
370.\"Return the statistics stored in the audit system.
371Return
372.Er ENOSYS .
373(Not implemented.)
374.It Dv A_GETCOND
375Return the current auditing condition.
376The
377.Fa data
378argument
379must point to a
380.Vt long
381value which will be set to
382the current audit condition, one of
383.Dv AUC_AUDITING ,
384.Dv AUC_NOAUDIT
385or
386.Dv AUC_DISABLED .
387See the
388.Dv A_SETCOND
389section above for more information.
390.It Dv A_SENDTRIGGER
391Send a trigger to the audit daemon.
392The
393.Fa data
394argument
395must point to a
396.Vt long
397value set to one of the acceptable
398trigger values:
399.Dv AUDIT_TRIGGER_LOW_SPACE
400(low disk space where the audit log resides),
401.Dv AUDIT_TRIGGER_OPEN_NEW
402(open a new audit log file),
403.Dv AUDIT_TRIGGER_READ_FILE
404(read the
405.Pa audit_control
406file),
407.Dv AUDIT_TRIGGER_CLOSE_AND_DIE
408(close the current log file and exit),
|
408or
| |
409.Dv AUDIT_TRIGGER_NO_SPACE
410(no disk space left for audit log file).
| 409.Dv AUDIT_TRIGGER_NO_SPACE
410(no disk space left for audit log file).
|
| 411.Dv AUDIT_TRIGGER_ROTATE_USER
412(request audit log file rotation).
413.Dv AUDIT_TRIGGER_INITIALIZE
414(initialize audit subsystem for Mac OS X only).
415or
416.Dv AUDIT_TRIGGER_EXPIRE_TRAILS
417(request audit log file expiration).
|
411.El
412.Sh RETURN VALUES
413.Rv -std
414.Sh ERRORS
415The
416.Fn auditon
417function will fail if:
418.Bl -tag -width Er
419.It Bq Er ENOSYS
420Returned by options not yet implemented.
421.It Bq Er EFAULT
422A failure occurred while data transferred to or from
423the kernel failed.
424.It Bq Er EINVAL
425Illegal argument was passed by a system call.
426.It Bq Er EPERM
427The process does not have sufficient permission to complete
428the operation.
429.El
430.Pp
431The
432.Dv A_SENDTRIGGER
433command is specific to the
434.Fx
435and Mac OS X implementations, and is not present in Solaris.
436.Sh SEE ALSO
437.Xr audit 2 ,
438.Xr auditctl 2 ,
439.Xr getaudit 2 ,
440.Xr getaudit_addr 2 ,
441.Xr getauid 2 ,
442.Xr setaudit 2 ,
443.Xr setaudit_addr 2 ,
444.Xr setauid 2 ,
445.Xr libbsm 3
446.Sh HISTORY
447The OpenBSM implementation was created by McAfee Research, the security
448division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
449It was subsequently adopted by the TrustedBSD Project as the foundation for
450the OpenBSM distribution.
451.Sh AUTHORS
452.An -nosplit
453This software was created by McAfee Research, the security research division
454of McAfee, Inc., under contract to Apple Computer Inc.
455Additional authors include
456.An Wayne Salamon ,
457.An Robert Watson ,
458and SPARTA Inc.
459.Pp
460The Basic Security Module (BSM) interface to audit records and audit event
461stream format were defined by Sun Microsystems.
462.Pp
463This manual page was written by
464.An Tom Rhodes Aq trhodes@FreeBSD.org ,
465.An Robert Watson Aq rwatson@FreeBSD.org ,
466and
467.An Wayne Salamon Aq wsalamon@FreeBSD.org .
| 418.El
419.Sh RETURN VALUES
420.Rv -std
421.Sh ERRORS
422The
423.Fn auditon
424function will fail if:
425.Bl -tag -width Er
426.It Bq Er ENOSYS
427Returned by options not yet implemented.
428.It Bq Er EFAULT
429A failure occurred while data transferred to or from
430the kernel failed.
431.It Bq Er EINVAL
432Illegal argument was passed by a system call.
433.It Bq Er EPERM
434The process does not have sufficient permission to complete
435the operation.
436.El
437.Pp
438The
439.Dv A_SENDTRIGGER
440command is specific to the
441.Fx
442and Mac OS X implementations, and is not present in Solaris.
443.Sh SEE ALSO
444.Xr audit 2 ,
445.Xr auditctl 2 ,
446.Xr getaudit 2 ,
447.Xr getaudit_addr 2 ,
448.Xr getauid 2 ,
449.Xr setaudit 2 ,
450.Xr setaudit_addr 2 ,
451.Xr setauid 2 ,
452.Xr libbsm 3
453.Sh HISTORY
454The OpenBSM implementation was created by McAfee Research, the security
455division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
456It was subsequently adopted by the TrustedBSD Project as the foundation for
457the OpenBSM distribution.
458.Sh AUTHORS
459.An -nosplit
460This software was created by McAfee Research, the security research division
461of McAfee, Inc., under contract to Apple Computer Inc.
462Additional authors include
463.An Wayne Salamon ,
464.An Robert Watson ,
465and SPARTA Inc.
466.Pp
467The Basic Security Module (BSM) interface to audit records and audit event
468stream format were defined by Sun Microsystems.
469.Pp
470This manual page was written by
471.An Tom Rhodes Aq trhodes@FreeBSD.org ,
472.An Robert Watson Aq rwatson@FreeBSD.org ,
473and
474.An Wayne Salamon Aq wsalamon@FreeBSD.org .
|