Cross Reference: /freebsd-9.3-release/contrib/openbsm/man/auditon.2

Deleted Added

sdiff udiff text old ( 162503 ) new ( 168777 )

full compact

1.\"-
2.\" Copyright (c) 2005 Robert N. M. Watson
3.\" Copyright (c) 2005 Tom Rhodes
4.\" Copyright (c) 2005 Wayne J. Salamon
5.\" All rights reserved.
6.\"
7.\" Redistribution and use in source and binary forms, with or without
8.\" modification, are permitted provided that the following conditions

--- 11 unchanged lines hidden (view full) ---

20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26.\" SUCH DAMAGE.
27.\"

28.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#8 $

28.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#11 $

29.\"
30.Dd April 19, 2005
31.Dt AUDITON 2
32.Os
33.Sh NAME
34.Nm auditon

35.Nd "Configure system audit parameters"

35.Nd "configure system audit parameters"

36.Sh SYNOPSIS
37.In bsm/audit.h
38.Ft int
39.Fn auditon "int cmd" "void *data" "u_int length"
40.Sh DESCRIPTION
41The

42.Nm

42.Fn auditon

43system call is used to manipulate various audit control operations.

44.Ft *data

44The
45.Fa data
46argument

47should point to a structure whose type depends on the command.

46.Ft length
47specifies the size of the
48.Em data

48The
49.Fa length
50argument
51specifies the size of
52.Fa *data

53in bytes.

50.Ft cmd

54The
55.Fa cmd
56argument

57may be any of the following:
58.Bl -tag -width ".It Dv A_GETPINFO_ADDR"
59.It Dv A_SETPOLICY
60Set audit policy flags.

55.Ft *data
56must point to a long value set to one of the audit

61The
62.Fa data
63argument
64must point to a
65.Vt long
66value set to one of the audit

67policy control values defined in

58.Pa audit.h .

68.In bsm/audit.h .

69Currently, only
70.Dv AUDIT_CNT
71and
72.Dv AUDIT_AHLT
73are implemented.
74In the
75.Dv AUDIT_CNT
76case, the action will continue regardless if

--- 4 unchanged lines hidden (view full) ---

81.Xr panic 9
82will result if an event will not be written to the
83audit log file.
84.It Dv A_SETKAUDIT
85Return
86.Er ENOSYS .
87.It Dv A_SETKMASK
88Set the kernel preselection masks (success and failure).

79.Ft *data

89The
90.Fa data
91argument

92must point to a

81.Ft au_mask_t

93.Vt au_mask_t

94structure containing the mask values.
95These masks are used for non-attributable audit event preselection.
96.It Dv A_SETQCTRL
97Set kernel audit queue parameters.

86.Ft *data

98The
99.Fa data
100argument

101must point to a

88.Ft au_qctrl_t

102.Vt au_qctrl_t

103structure containing the
104kernel audit queue control settings:

91.Va high water ,
92.Va low water ,
93.Va output buffer size ,
94.Va percent min free disk space ,

105.Dq "high water" ,
106.Dq "low water" ,
107.Dq "output buffer size" ,
108.Dq "percent min free disk space" ,

109and

96.Em delay

110.Dq delay

111(not currently used).
112.It Dv A_SETSTAT
113Return
114.Er ENOSYS .
115.It Dv A_SETUMASK
116Return
117.Er ENOSYS .
118.It Dv A_SETSMASK
119Return
120.Er ENOSYS .
121.It Dv A_SETCOND
122Set the current auditing condition.

~~109~~.Ft *data
~~110~~must point to a long value containing the new

123The
124.Fa data
125argument
126must point to a
127.Vt long
128value containing the new

129audit condition, one of
130.Dv AUC_AUDITING ,
131.Dv AUC_NOAUDIT ,
132or
133.Dv AUC_DISABLED .
134.It Dv A_SETCLASS
135Set the event class preselection mask for an audit event.

~~118~~.Ft *data

136The
137.Fa data
138argument

139must point to a

~~120~~.Ft au_evclass_map_t

140.Vt au_evclass_map_t

141structure containing the audit event and mask.
142.It Dv A_SETPMASK
143Set the preselection masks for a process.

~~124~~.Ft *data

144The
145.Fa data
146argument

147must point to a

~~126~~.Ft auditpinfo_t
~~127~~structure that contains the given process's audit

148.Vt auditpinfo_t
149structure that contains the given process's audit

150preselection masks for both success and failure.
151.It Dv A_SETFSIZE
152Set the maximum size of the audit log file.

~~131~~.Ft *data

153The
154.Fa data
155argument

156must point to a

~~133~~.Ft au_fstat_t

157.Vt au_fstat_t

158structure with the

~~135~~.Ft af_filesz
~~136~~field set to the maximum audit log file size. A value of 0

159.Va af_filesz
160field set to the maximum audit log file size.
161A value of 0

162indicates no limit to the size.
163.It Dv A_SETKAUDIT
164Return
165.Er ENOSYS .
166.It Dv A_GETCLASS
167Return the event to class mapping for the designated audit event.

~~143~~.Ft *data
~~144~~must point to a
~~145~~.Ft au_evclass_map_t

168The
169.Fa data
170argument
171must point to a
172.Vt au_evclass_map_t

173structure.
174.It Dv A_GETKAUDIT
175Return
176.Er ENOSYS .
177.It Dv A_GETPINFO
178Return the audit settings for a process.

~~152~~.Ft *data

179The
180.Fa data
181argument

182must point to a

~~154~~.Ft auditpinfo_t

183.Vt auditpinfo_t

184structure which will be set to contain
185the audit ID, preselection mask, terminal ID, and audit session
186ID of the given process.
187.It Dv A_GETPINFO_ADDR
188Return
189.Er ENOSYS .
190.It Dv A_GETKMASK
191Return the current kernel preselection masks.

~~163~~.Ft *data

192The
193.Fa data
194argument

195must point to a

~~165~~.Ft au_mask_t
~~166~~structure which will be set to

196.Vt au_mask_t
197structure which will be set to

198the current kernel preselection masks for non-attributable events.
199.It Dv A_GETPOLICY
200Return the current audit policy setting.

~~170~~.Ft *data
~~171~~must point to a long value which will be set to

201The
202.Fa data
203argument
204must point to a
205.Vt long
206value which will be set to

207one of the current audit policy flags.
208Currently, only
209.Dv AUDIT_CNT
210and
211.Dv AUDIT_AHLT
212are implemented.
213.It Dv A_GETQCTRL
214Return the current kernel audit queue control parameters.

~~180~~.Ft *data
~~181~~must point to a
~~182~~.Ft au_qctrl_t

215The
216.Fa data
217argument
218must point to a
219.Vt au_qctrl_t

220structure which will be set to the current
221kernel audit queue control parameters.
222.It Dv A_GETFSIZE
223Returns the maximum size of the audit log file.

~~187~~.Ft *data

224The
225.Fa data
226argument

227must point to a

~~189~~.Ft au_fstat_t
~~190~~structure. The
~~191~~.Ft af_filesz

228.Vt au_fstat_t
229structure.
230The
231.Va af_filesz

232field will be set to the maximum audit log file size.
233A value of 0 indicates no limit to the size.
234The

~~195~~.Ft af_currsz

235.Va af_currsz
236field

237will be set to the current audit log file size.
238.It Dv A_GETCWD
239.\" [COMMENTED OUT]: Valid description, not yet implemented.
240.\" Return the current working directory as stored in the audit subsystem.
241Return
242.Er ENOSYS .
243.It Dv A_GETCAR
244.\" [COMMENTED OUT]: Valid description, not yet implemented.
245.\"Stores and returns the current active root as stored in the audit
246.\"subsystem.
247Return
248.Er ENOSYS .
249.It Dv A_GETSTAT
250.\" [COMMENTED OUT]: Valid description, not yet implemented.
251.\"Return the statistics stored in the audit system.
252Return
253.Er ENOSYS .
254.It Dv A_GETCOND
255Return the current auditing condition.

~~215~~.Ft *data
~~216~~must point to a long value which will be set to

256The
257.Fa data
258argument
259must point to a
260.Vt long
261value which will be set to

262the current audit condition, either
263.Dv AUC_AUDITING
264or
265.Dv AUC_NOAUDIT .
266.It Dv A_SENDTRIGGER
267Send a trigger to the audit daemon.

~~223~~.Fr *data
~~224~~must point to a long value set to one of the acceptable

268The
269.Fa data
270argument
271must point to a
272.Vt long
273value set to one of the acceptable

274trigger values:
275.Dv AUDIT_TRIGGER_LOW_SPACE
276(low disk space where the audit log resides),
277.Dv AUDIT_TRIGGER_OPEN_NEW
278(open a new audit log file),
279.Dv AUDIT_TRIGGER_READ_FILE
280(read the
281.Pa audit_control

--- 26 unchanged lines hidden (view full) ---

308The
309.Dv A_SENDTRIGGER
310command is specific to the
311.Fx
312and Mac OS X implementations, and is not present in Solaris.
313.Sh SEE ALSO
314.Xr audit 2 ,
315.Xr auditctl 2 ,

~~267~~.Xr getauid 2 ,
~~268~~.Xr setauid 2 ,

316.Xr getaudit 2 ,

~~270~~.Xr setaudit 2 ,

317.Xr getaudit_addr 2 ,

318.Xr getauid 2 ,
319.Xr setaudit 2 ,

320.Xr setaudit_addr 2 ,

321.Xr setauid 2 ,

322.Xr libbsm 3

323.Sh HISTORY
324The OpenBSM implementation was created by McAfee Research, the security
325division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
326It was subsequently adopted by the TrustedBSD Project as the foundation for
327the OpenBSM distribution.

328.Sh AUTHORS

329.An -nosplit

330This software was created by McAfee Research, the security research division
331of McAfee, Inc., under contract to Apple Computer Inc.

~~277~~Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.

332Additional authors include
333.An Wayne Salamon ,
334.An Robert Watson ,
335and SPARTA Inc.

336.Pp
337The Basic Security Module (BSM) interface to audit records and audit event
338stream format were defined by Sun Microsystems.
339.Pp
340This manual page was written by
341.An Tom Rhodes Aq trhodes@FreeBSD.org ,
342.An Robert Watson Aq rwatson@FreeBSD.org ,
343and
344.An Wayne Salamon Aq wsalamon@FreeBSD.org .

~~287~~.Sh HISTORY
~~288~~The OpenBSM implementation was created by McAfee Research, the security
~~289~~division of McAfee Inc., under contract to Apple Computer Inc. in 2003.
~~290~~It was subsequently adopted by the TrustedBSD Project as the foundation for
~~291~~the OpenBSM distribution.