1.\"- 2.\" Copyright (c) 2005 Robert N. M. Watson 3.\" Copyright (c) 2005 Tom Rhodes 4.\" Copyright (c) 2005 Wayne J. Salamon 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions --- 11 unchanged lines hidden (view full) --- 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" |
28.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#11 $ |
29.\" 30.Dd April 19, 2005 31.Dt AUDITON 2 32.Os 33.Sh NAME 34.Nm auditon |
35.Nd "configure system audit parameters" |
36.Sh SYNOPSIS 37.In bsm/audit.h 38.Ft int 39.Fn auditon "int cmd" "void *data" "u_int length" 40.Sh DESCRIPTION 41The |
42.Fn auditon |
43system call is used to manipulate various audit control operations. |
44The 45.Fa data 46argument |
47should point to a structure whose type depends on the command. |
48The 49.Fa length 50argument 51specifies the size of 52.Fa *data |
53in bytes. |
54The 55.Fa cmd 56argument |
57may be any of the following: 58.Bl -tag -width ".It Dv A_GETPINFO_ADDR" 59.It Dv A_SETPOLICY 60Set audit policy flags. |
61The 62.Fa data 63argument 64must point to a 65.Vt long 66value set to one of the audit |
67policy control values defined in |
68.In bsm/audit.h . |
69Currently, only 70.Dv AUDIT_CNT 71and 72.Dv AUDIT_AHLT 73are implemented. 74In the 75.Dv AUDIT_CNT 76case, the action will continue regardless if --- 4 unchanged lines hidden (view full) --- 81.Xr panic 9 82will result if an event will not be written to the 83audit log file. 84.It Dv A_SETKAUDIT 85Return 86.Er ENOSYS . 87.It Dv A_SETKMASK 88Set the kernel preselection masks (success and failure). |
89The 90.Fa data 91argument |
92must point to a |
93.Vt au_mask_t |
94structure containing the mask values. 95These masks are used for non-attributable audit event preselection. 96.It Dv A_SETQCTRL 97Set kernel audit queue parameters. |
98The 99.Fa data 100argument |
101must point to a |
102.Vt au_qctrl_t |
103structure containing the 104kernel audit queue control settings: |
105.Dq "high water" , 106.Dq "low water" , 107.Dq "output buffer size" , 108.Dq "percent min free disk space" , |
109and |
110.Dq delay |
111(not currently used). 112.It Dv A_SETSTAT 113Return 114.Er ENOSYS . 115.It Dv A_SETUMASK 116Return 117.Er ENOSYS . 118.It Dv A_SETSMASK 119Return 120.Er ENOSYS . 121.It Dv A_SETCOND 122Set the current auditing condition. |
123The 124.Fa data 125argument 126must point to a 127.Vt long 128value containing the new |
129audit condition, one of 130.Dv AUC_AUDITING , 131.Dv AUC_NOAUDIT , 132or 133.Dv AUC_DISABLED . 134.It Dv A_SETCLASS 135Set the event class preselection mask for an audit event. |
136The 137.Fa data 138argument |
139must point to a |
140.Vt au_evclass_map_t |
141structure containing the audit event and mask. 142.It Dv A_SETPMASK 143Set the preselection masks for a process. |
144The 145.Fa data 146argument |
147must point to a |
148.Vt auditpinfo_t 149structure that contains the given process's audit |
150preselection masks for both success and failure. 151.It Dv A_SETFSIZE 152Set the maximum size of the audit log file. |
153The 154.Fa data 155argument |
156must point to a |
157.Vt au_fstat_t |
158structure with the |
159.Va af_filesz 160field set to the maximum audit log file size. 161A value of 0 |
162indicates no limit to the size. 163.It Dv A_SETKAUDIT 164Return 165.Er ENOSYS . 166.It Dv A_GETCLASS 167Return the event to class mapping for the designated audit event. |
168The 169.Fa data 170argument 171must point to a 172.Vt au_evclass_map_t |
173structure. 174.It Dv A_GETKAUDIT 175Return 176.Er ENOSYS . 177.It Dv A_GETPINFO 178Return the audit settings for a process. |
179The 180.Fa data 181argument |
182must point to a |
183.Vt auditpinfo_t |
184structure which will be set to contain 185the audit ID, preselection mask, terminal ID, and audit session 186ID of the given process. 187.It Dv A_GETPINFO_ADDR 188Return 189.Er ENOSYS . 190.It Dv A_GETKMASK 191Return the current kernel preselection masks. |
192The 193.Fa data 194argument |
195must point to a |
196.Vt au_mask_t 197structure which will be set to |
198the current kernel preselection masks for non-attributable events. 199.It Dv A_GETPOLICY 200Return the current audit policy setting. |
201The 202.Fa data 203argument 204must point to a 205.Vt long 206value which will be set to |
207one of the current audit policy flags. 208Currently, only 209.Dv AUDIT_CNT 210and 211.Dv AUDIT_AHLT 212are implemented. 213.It Dv A_GETQCTRL 214Return the current kernel audit queue control parameters. |
215The 216.Fa data 217argument 218must point to a 219.Vt au_qctrl_t |
220structure which will be set to the current 221kernel audit queue control parameters. 222.It Dv A_GETFSIZE 223Returns the maximum size of the audit log file. |
224The 225.Fa data 226argument |
227must point to a |
228.Vt au_fstat_t 229structure. 230The 231.Va af_filesz |
232field will be set to the maximum audit log file size. 233A value of 0 indicates no limit to the size. 234The |
235.Va af_currsz 236field |
237will be set to the current audit log file size. 238.It Dv A_GETCWD 239.\" [COMMENTED OUT]: Valid description, not yet implemented. 240.\" Return the current working directory as stored in the audit subsystem. 241Return 242.Er ENOSYS . 243.It Dv A_GETCAR 244.\" [COMMENTED OUT]: Valid description, not yet implemented. 245.\"Stores and returns the current active root as stored in the audit 246.\"subsystem. 247Return 248.Er ENOSYS . 249.It Dv A_GETSTAT 250.\" [COMMENTED OUT]: Valid description, not yet implemented. 251.\"Return the statistics stored in the audit system. 252Return 253.Er ENOSYS . 254.It Dv A_GETCOND 255Return the current auditing condition. |
256The 257.Fa data 258argument 259must point to a 260.Vt long 261value which will be set to |
262the current audit condition, either 263.Dv AUC_AUDITING 264or 265.Dv AUC_NOAUDIT . 266.It Dv A_SENDTRIGGER 267Send a trigger to the audit daemon. |
268The 269.Fa data 270argument 271must point to a 272.Vt long 273value set to one of the acceptable |
274trigger values: 275.Dv AUDIT_TRIGGER_LOW_SPACE 276(low disk space where the audit log resides), 277.Dv AUDIT_TRIGGER_OPEN_NEW 278(open a new audit log file), 279.Dv AUDIT_TRIGGER_READ_FILE 280(read the 281.Pa audit_control --- 26 unchanged lines hidden (view full) --- 308The 309.Dv A_SENDTRIGGER 310command is specific to the 311.Fx 312and Mac OS X implementations, and is not present in Solaris. 313.Sh SEE ALSO 314.Xr audit 2 , 315.Xr auditctl 2 , |
316.Xr getaudit 2 , |
317.Xr getaudit_addr 2 , |
318.Xr getauid 2 , 319.Xr setaudit 2 , |
320.Xr setaudit_addr 2 , |
321.Xr setauid 2 , |
322.Xr libbsm 3 |
323.Sh HISTORY 324The OpenBSM implementation was created by McAfee Research, the security 325division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. 326It was subsequently adopted by the TrustedBSD Project as the foundation for 327the OpenBSM distribution. |
328.Sh AUTHORS |
329.An -nosplit |
330This software was created by McAfee Research, the security research division 331of McAfee, Inc., under contract to Apple Computer Inc. |
332Additional authors include 333.An Wayne Salamon , 334.An Robert Watson , 335and SPARTA Inc. |
336.Pp 337The Basic Security Module (BSM) interface to audit records and audit event 338stream format were defined by Sun Microsystems. 339.Pp 340This manual page was written by 341.An Tom Rhodes Aq trhodes@FreeBSD.org , 342.An Robert Watson Aq rwatson@FreeBSD.org , 343and 344.An Wayne Salamon Aq wsalamon@FreeBSD.org . |