| auditon.2 (162503) | auditon.2 (168777) |
|---|---|
| 1.\"- 2.\" Copyright (c) 2005 Robert N. M. Watson 3.\" Copyright (c) 2005 Tom Rhodes 4.\" Copyright (c) 2005 Wayne J. Salamon 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions --- 11 unchanged lines hidden (view full) --- 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" | 1.\"- 2.\" Copyright (c) 2005 Robert N. M. Watson 3.\" Copyright (c) 2005 Tom Rhodes 4.\" Copyright (c) 2005 Wayne J. Salamon 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions --- 11 unchanged lines hidden (view full) --- 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" |
| 28.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#8 $ | 28.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#11 $ |
| 29.\" 30.Dd April 19, 2005 31.Dt AUDITON 2 32.Os 33.Sh NAME 34.Nm auditon | 29.\" 30.Dd April 19, 2005 31.Dt AUDITON 2 32.Os 33.Sh NAME 34.Nm auditon |
| 35.Nd "Configure system audit parameters" | 35.Nd "configure system audit parameters" |
| 36.Sh SYNOPSIS 37.In bsm/audit.h 38.Ft int 39.Fn auditon "int cmd" "void *data" "u_int length" 40.Sh DESCRIPTION 41The | 36.Sh SYNOPSIS 37.In bsm/audit.h 38.Ft int 39.Fn auditon "int cmd" "void *data" "u_int length" 40.Sh DESCRIPTION 41The |
| 42.Nm | 42.Fn auditon |
| 43system call is used to manipulate various audit control operations. | 43system call is used to manipulate various audit control operations. |
| 44.Ft *data | 44The 45.Fa data 46argument |
| 45should point to a structure whose type depends on the command. | 47should point to a structure whose type depends on the command. |
| 46.Ft length 47specifies the size of the 48.Em data | 48The 49.Fa length 50argument 51specifies the size of 52.Fa *data |
| 49in bytes. | 53in bytes. |
| 50.Ft cmd | 54The 55.Fa cmd 56argument |
| 51may be any of the following: 52.Bl -tag -width ".It Dv A_GETPINFO_ADDR" 53.It Dv A_SETPOLICY 54Set audit policy flags. | 57may be any of the following: 58.Bl -tag -width ".It Dv A_GETPINFO_ADDR" 59.It Dv A_SETPOLICY 60Set audit policy flags. |
| 55.Ft *data 56must point to a long value set to one of the audit | 61The 62.Fa data 63argument 64must point to a 65.Vt long 66value set to one of the audit |
| 57policy control values defined in | 67policy control values defined in |
| 58.Pa audit.h . | 68.In bsm/audit.h . |
| 59Currently, only 60.Dv AUDIT_CNT 61and 62.Dv AUDIT_AHLT 63are implemented. 64In the 65.Dv AUDIT_CNT 66case, the action will continue regardless if --- 4 unchanged lines hidden (view full) --- 71.Xr panic 9 72will result if an event will not be written to the 73audit log file. 74.It Dv A_SETKAUDIT 75Return 76.Er ENOSYS . 77.It Dv A_SETKMASK 78Set the kernel preselection masks (success and failure). | 69Currently, only 70.Dv AUDIT_CNT 71and 72.Dv AUDIT_AHLT 73are implemented. 74In the 75.Dv AUDIT_CNT 76case, the action will continue regardless if --- 4 unchanged lines hidden (view full) --- 81.Xr panic 9 82will result if an event will not be written to the 83audit log file. 84.It Dv A_SETKAUDIT 85Return 86.Er ENOSYS . 87.It Dv A_SETKMASK 88Set the kernel preselection masks (success and failure). |
| 79.Ft *data | 89The 90.Fa data 91argument |
| 80must point to a | 92must point to a |
| 81.Ft au_mask_t | 93.Vt au_mask_t |
| 82structure containing the mask values. 83These masks are used for non-attributable audit event preselection. 84.It Dv A_SETQCTRL 85Set kernel audit queue parameters. | 94structure containing the mask values. 95These masks are used for non-attributable audit event preselection. 96.It Dv A_SETQCTRL 97Set kernel audit queue parameters. |
| 86.Ft *data | 98The 99.Fa data 100argument |
| 87must point to a | 101must point to a |
| 88.Ft au_qctrl_t | 102.Vt au_qctrl_t |
| 89structure containing the 90kernel audit queue control settings: | 103structure containing the 104kernel audit queue control settings: |
| 91.Va high water , 92.Va low water , 93.Va output buffer size , 94.Va percent min free disk space , | 105.Dq "high water" , 106.Dq "low water" , 107.Dq "output buffer size" , 108.Dq "percent min free disk space" , |
| 95and | 109and |
| 96.Em delay | 110.Dq delay |
| 97(not currently used). 98.It Dv A_SETSTAT 99Return 100.Er ENOSYS . 101.It Dv A_SETUMASK 102Return 103.Er ENOSYS . 104.It Dv A_SETSMASK 105Return 106.Er ENOSYS . 107.It Dv A_SETCOND 108Set the current auditing condition. | 111(not currently used). 112.It Dv A_SETSTAT 113Return 114.Er ENOSYS . 115.It Dv A_SETUMASK 116Return 117.Er ENOSYS . 118.It Dv A_SETSMASK 119Return 120.Er ENOSYS . 121.It Dv A_SETCOND 122Set the current auditing condition. |
| 109.Ft *data 110must point to a long value containing the new | 123The 124.Fa data 125argument 126must point to a 127.Vt long 128value containing the new |
| 111audit condition, one of 112.Dv AUC_AUDITING , 113.Dv AUC_NOAUDIT , 114or 115.Dv AUC_DISABLED . 116.It Dv A_SETCLASS 117Set the event class preselection mask for an audit event. | 129audit condition, one of 130.Dv AUC_AUDITING , 131.Dv AUC_NOAUDIT , 132or 133.Dv AUC_DISABLED . 134.It Dv A_SETCLASS 135Set the event class preselection mask for an audit event. |
| 118.Ft *data | 136The 137.Fa data 138argument |
| 119must point to a | 139must point to a |
| 120.Ft au_evclass_map_t | 140.Vt au_evclass_map_t |
| 121structure containing the audit event and mask. 122.It Dv A_SETPMASK 123Set the preselection masks for a process. | 141structure containing the audit event and mask. 142.It Dv A_SETPMASK 143Set the preselection masks for a process. |
| 124.Ft *data | 144The 145.Fa data 146argument |
| 125must point to a | 147must point to a |
| 126.Ft auditpinfo_t 127structure that contains the given process's audit | 148.Vt auditpinfo_t 149structure that contains the given process's audit |
| 128preselection masks for both success and failure. 129.It Dv A_SETFSIZE 130Set the maximum size of the audit log file. | 150preselection masks for both success and failure. 151.It Dv A_SETFSIZE 152Set the maximum size of the audit log file. |
| 131.Ft *data | 153The 154.Fa data 155argument |
| 132must point to a | 156must point to a |
| 133.Ft au_fstat_t | 157.Vt au_fstat_t |
| 134structure with the | 158structure with the |
| 135.Ft af_filesz 136field set to the maximum audit log file size. A value of 0 | 159.Va af_filesz 160field set to the maximum audit log file size. 161A value of 0 |
| 137indicates no limit to the size. 138.It Dv A_SETKAUDIT 139Return 140.Er ENOSYS . 141.It Dv A_GETCLASS 142Return the event to class mapping for the designated audit event. | 162indicates no limit to the size. 163.It Dv A_SETKAUDIT 164Return 165.Er ENOSYS . 166.It Dv A_GETCLASS 167Return the event to class mapping for the designated audit event. |
| 143.Ft *data 144must point to a 145.Ft au_evclass_map_t | 168The 169.Fa data 170argument 171must point to a 172.Vt au_evclass_map_t |
| 146structure. 147.It Dv A_GETKAUDIT 148Return 149.Er ENOSYS . 150.It Dv A_GETPINFO 151Return the audit settings for a process. | 173structure. 174.It Dv A_GETKAUDIT 175Return 176.Er ENOSYS . 177.It Dv A_GETPINFO 178Return the audit settings for a process. |
| 152.Ft *data | 179The 180.Fa data 181argument |
| 153must point to a | 182must point to a |
| 154.Ft auditpinfo_t | 183.Vt auditpinfo_t |
| 155structure which will be set to contain 156the audit ID, preselection mask, terminal ID, and audit session 157ID of the given process. 158.It Dv A_GETPINFO_ADDR 159Return 160.Er ENOSYS . 161.It Dv A_GETKMASK 162Return the current kernel preselection masks. | 184structure which will be set to contain 185the audit ID, preselection mask, terminal ID, and audit session 186ID of the given process. 187.It Dv A_GETPINFO_ADDR 188Return 189.Er ENOSYS . 190.It Dv A_GETKMASK 191Return the current kernel preselection masks. |
| 163.Ft *data | 192The 193.Fa data 194argument |
| 164must point to a | 195must point to a |
| 165.Ft au_mask_t 166structure which will be set to | 196.Vt au_mask_t 197structure which will be set to |
| 167the current kernel preselection masks for non-attributable events. 168.It Dv A_GETPOLICY 169Return the current audit policy setting. | 198the current kernel preselection masks for non-attributable events. 199.It Dv A_GETPOLICY 200Return the current audit policy setting. |
| 170.Ft *data 171must point to a long value which will be set to | 201The 202.Fa data 203argument 204must point to a 205.Vt long 206value which will be set to |
| 172one of the current audit policy flags. 173Currently, only 174.Dv AUDIT_CNT 175and 176.Dv AUDIT_AHLT 177are implemented. 178.It Dv A_GETQCTRL 179Return the current kernel audit queue control parameters. | 207one of the current audit policy flags. 208Currently, only 209.Dv AUDIT_CNT 210and 211.Dv AUDIT_AHLT 212are implemented. 213.It Dv A_GETQCTRL 214Return the current kernel audit queue control parameters. |
| 180.Ft *data 181must point to a 182.Ft au_qctrl_t | 215The 216.Fa data 217argument 218must point to a 219.Vt au_qctrl_t |
| 183structure which will be set to the current 184kernel audit queue control parameters. 185.It Dv A_GETFSIZE 186Returns the maximum size of the audit log file. | 220structure which will be set to the current 221kernel audit queue control parameters. 222.It Dv A_GETFSIZE 223Returns the maximum size of the audit log file. |
| 187.Ft *data | 224The 225.Fa data 226argument |
| 188must point to a | 227must point to a |
| 189.Ft au_fstat_t 190structure. The 191.Ft af_filesz | 228.Vt au_fstat_t 229structure. 230The 231.Va af_filesz |
| 192field will be set to the maximum audit log file size. 193A value of 0 indicates no limit to the size. 194The | 232field will be set to the maximum audit log file size. 233A value of 0 indicates no limit to the size. 234The |
| 195.Ft af_currsz | 235.Va af_currsz 236field |
| 196will be set to the current audit log file size. 197.It Dv A_GETCWD 198.\" [COMMENTED OUT]: Valid description, not yet implemented. 199.\" Return the current working directory as stored in the audit subsystem. 200Return 201.Er ENOSYS . 202.It Dv A_GETCAR 203.\" [COMMENTED OUT]: Valid description, not yet implemented. 204.\"Stores and returns the current active root as stored in the audit 205.\"subsystem. 206Return 207.Er ENOSYS . 208.It Dv A_GETSTAT 209.\" [COMMENTED OUT]: Valid description, not yet implemented. 210.\"Return the statistics stored in the audit system. 211Return 212.Er ENOSYS . 213.It Dv A_GETCOND 214Return the current auditing condition. | 237will be set to the current audit log file size. 238.It Dv A_GETCWD 239.\" [COMMENTED OUT]: Valid description, not yet implemented. 240.\" Return the current working directory as stored in the audit subsystem. 241Return 242.Er ENOSYS . 243.It Dv A_GETCAR 244.\" [COMMENTED OUT]: Valid description, not yet implemented. 245.\"Stores and returns the current active root as stored in the audit 246.\"subsystem. 247Return 248.Er ENOSYS . 249.It Dv A_GETSTAT 250.\" [COMMENTED OUT]: Valid description, not yet implemented. 251.\"Return the statistics stored in the audit system. 252Return 253.Er ENOSYS . 254.It Dv A_GETCOND 255Return the current auditing condition. |
| 215.Ft *data 216must point to a long value which will be set to | 256The 257.Fa data 258argument 259must point to a 260.Vt long 261value which will be set to |
| 217the current audit condition, either 218.Dv AUC_AUDITING 219or 220.Dv AUC_NOAUDIT . 221.It Dv A_SENDTRIGGER 222Send a trigger to the audit daemon. | 262the current audit condition, either 263.Dv AUC_AUDITING 264or 265.Dv AUC_NOAUDIT . 266.It Dv A_SENDTRIGGER 267Send a trigger to the audit daemon. |
| 223.Fr *data 224must point to a long value set to one of the acceptable | 268The 269.Fa data 270argument 271must point to a 272.Vt long 273value set to one of the acceptable |
| 225trigger values: 226.Dv AUDIT_TRIGGER_LOW_SPACE 227(low disk space where the audit log resides), 228.Dv AUDIT_TRIGGER_OPEN_NEW 229(open a new audit log file), 230.Dv AUDIT_TRIGGER_READ_FILE 231(read the 232.Pa audit_control --- 26 unchanged lines hidden (view full) --- 259The 260.Dv A_SENDTRIGGER 261command is specific to the 262.Fx 263and Mac OS X implementations, and is not present in Solaris. 264.Sh SEE ALSO 265.Xr audit 2 , 266.Xr auditctl 2 , | 274trigger values: 275.Dv AUDIT_TRIGGER_LOW_SPACE 276(low disk space where the audit log resides), 277.Dv AUDIT_TRIGGER_OPEN_NEW 278(open a new audit log file), 279.Dv AUDIT_TRIGGER_READ_FILE 280(read the 281.Pa audit_control --- 26 unchanged lines hidden (view full) --- 308The 309.Dv A_SENDTRIGGER 310command is specific to the 311.Fx 312and Mac OS X implementations, and is not present in Solaris. 313.Sh SEE ALSO 314.Xr audit 2 , 315.Xr auditctl 2 , |
| 267.Xr getauid 2 , 268.Xr setauid 2 , | |
| 269.Xr getaudit 2 , | 316.Xr getaudit 2 , |
| 270.Xr setaudit 2 , | |
| 271.Xr getaudit_addr 2 , | 317.Xr getaudit_addr 2 , |
| 318.Xr getauid 2 , 319.Xr setaudit 2 , |
|
| 272.Xr setaudit_addr 2 , | 320.Xr setaudit_addr 2 , |
| 321.Xr setauid 2 , |
|
| 273.Xr libbsm 3 | 322.Xr libbsm 3 |
| 323.Sh HISTORY 324The OpenBSM implementation was created by McAfee Research, the security 325division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. 326It was subsequently adopted by the TrustedBSD Project as the foundation for 327the OpenBSM distribution. |
|
| 274.Sh AUTHORS | 328.Sh AUTHORS |
| 329.An -nosplit |
|
| 275This software was created by McAfee Research, the security research division 276of McAfee, Inc., under contract to Apple Computer Inc. | 330This software was created by McAfee Research, the security research division 331of McAfee, Inc., under contract to Apple Computer Inc. |
| 277Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. | 332Additional authors include 333.An Wayne Salamon , 334.An Robert Watson , 335and SPARTA Inc. |
| 278.Pp 279The Basic Security Module (BSM) interface to audit records and audit event 280stream format were defined by Sun Microsystems. 281.Pp 282This manual page was written by 283.An Tom Rhodes Aq trhodes@FreeBSD.org , 284.An Robert Watson Aq rwatson@FreeBSD.org , 285and 286.An Wayne Salamon Aq wsalamon@FreeBSD.org . | 336.Pp 337The Basic Security Module (BSM) interface to audit records and audit event 338stream format were defined by Sun Microsystems. 339.Pp 340This manual page was written by 341.An Tom Rhodes Aq trhodes@FreeBSD.org , 342.An Robert Watson Aq rwatson@FreeBSD.org , 343and 344.An Wayne Salamon Aq wsalamon@FreeBSD.org . |
| 287.Sh HISTORY 288The OpenBSM implementation was created by McAfee Research, the security 289division of McAfee Inc., under contract to Apple Computer Inc. in 2003. 290It was subsequently adopted by the TrustedBSD Project as the foundation for 291the OpenBSM distribution. | |