Deleted Added
full compact
auditon.2 (162503) auditon.2 (168777)
1.\"-
2.\" Copyright (c) 2005 Robert N. M. Watson
3.\" Copyright (c) 2005 Tom Rhodes
4.\" Copyright (c) 2005 Wayne J. Salamon
5.\" All rights reserved.
6.\"
7.\" Redistribution and use in source and binary forms, with or without
8.\" modification, are permitted provided that the following conditions

--- 11 unchanged lines hidden (view full) ---

20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26.\" SUCH DAMAGE.
27.\"
1.\"-
2.\" Copyright (c) 2005 Robert N. M. Watson
3.\" Copyright (c) 2005 Tom Rhodes
4.\" Copyright (c) 2005 Wayne J. Salamon
5.\" All rights reserved.
6.\"
7.\" Redistribution and use in source and binary forms, with or without
8.\" modification, are permitted provided that the following conditions

--- 11 unchanged lines hidden (view full) ---

20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26.\" SUCH DAMAGE.
27.\"
28.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#8 $
28.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#11 $
29.\"
30.Dd April 19, 2005
31.Dt AUDITON 2
32.Os
33.Sh NAME
34.Nm auditon
29.\"
30.Dd April 19, 2005
31.Dt AUDITON 2
32.Os
33.Sh NAME
34.Nm auditon
35.Nd "Configure system audit parameters"
35.Nd "configure system audit parameters"
36.Sh SYNOPSIS
37.In bsm/audit.h
38.Ft int
39.Fn auditon "int cmd" "void *data" "u_int length"
40.Sh DESCRIPTION
41The
36.Sh SYNOPSIS
37.In bsm/audit.h
38.Ft int
39.Fn auditon "int cmd" "void *data" "u_int length"
40.Sh DESCRIPTION
41The
42.Nm
42.Fn auditon
43system call is used to manipulate various audit control operations.
43system call is used to manipulate various audit control operations.
44.Ft *data
44The
45.Fa data
46argument
45should point to a structure whose type depends on the command.
47should point to a structure whose type depends on the command.
46.Ft length
47specifies the size of the
48.Em data
48The
49.Fa length
50argument
51specifies the size of
52.Fa *data
49in bytes.
53in bytes.
50.Ft cmd
54The
55.Fa cmd
56argument
51may be any of the following:
52.Bl -tag -width ".It Dv A_GETPINFO_ADDR"
53.It Dv A_SETPOLICY
54Set audit policy flags.
57may be any of the following:
58.Bl -tag -width ".It Dv A_GETPINFO_ADDR"
59.It Dv A_SETPOLICY
60Set audit policy flags.
55.Ft *data
56must point to a long value set to one of the audit
61The
62.Fa data
63argument
64must point to a
65.Vt long
66value set to one of the audit
57policy control values defined in
67policy control values defined in
58.Pa audit.h .
68.In bsm/audit.h .
59Currently, only
60.Dv AUDIT_CNT
61and
62.Dv AUDIT_AHLT
63are implemented.
64In the
65.Dv AUDIT_CNT
66case, the action will continue regardless if

--- 4 unchanged lines hidden (view full) ---

71.Xr panic 9
72will result if an event will not be written to the
73audit log file.
74.It Dv A_SETKAUDIT
75Return
76.Er ENOSYS .
77.It Dv A_SETKMASK
78Set the kernel preselection masks (success and failure).
69Currently, only
70.Dv AUDIT_CNT
71and
72.Dv AUDIT_AHLT
73are implemented.
74In the
75.Dv AUDIT_CNT
76case, the action will continue regardless if

--- 4 unchanged lines hidden (view full) ---

81.Xr panic 9
82will result if an event will not be written to the
83audit log file.
84.It Dv A_SETKAUDIT
85Return
86.Er ENOSYS .
87.It Dv A_SETKMASK
88Set the kernel preselection masks (success and failure).
79.Ft *data
89The
90.Fa data
91argument
80must point to a
92must point to a
81.Ft au_mask_t
93.Vt au_mask_t
82structure containing the mask values.
83These masks are used for non-attributable audit event preselection.
84.It Dv A_SETQCTRL
85Set kernel audit queue parameters.
94structure containing the mask values.
95These masks are used for non-attributable audit event preselection.
96.It Dv A_SETQCTRL
97Set kernel audit queue parameters.
86.Ft *data
98The
99.Fa data
100argument
87must point to a
101must point to a
88.Ft au_qctrl_t
102.Vt au_qctrl_t
89structure containing the
90kernel audit queue control settings:
103structure containing the
104kernel audit queue control settings:
91.Va high water ,
92.Va low water ,
93.Va output buffer size ,
94.Va percent min free disk space ,
105.Dq "high water" ,
106.Dq "low water" ,
107.Dq "output buffer size" ,
108.Dq "percent min free disk space" ,
95and
109and
96.Em delay
110.Dq delay
97(not currently used).
98.It Dv A_SETSTAT
99Return
100.Er ENOSYS .
101.It Dv A_SETUMASK
102Return
103.Er ENOSYS .
104.It Dv A_SETSMASK
105Return
106.Er ENOSYS .
107.It Dv A_SETCOND
108Set the current auditing condition.
111(not currently used).
112.It Dv A_SETSTAT
113Return
114.Er ENOSYS .
115.It Dv A_SETUMASK
116Return
117.Er ENOSYS .
118.It Dv A_SETSMASK
119Return
120.Er ENOSYS .
121.It Dv A_SETCOND
122Set the current auditing condition.
109.Ft *data
110must point to a long value containing the new
123The
124.Fa data
125argument
126must point to a
127.Vt long
128value containing the new
111audit condition, one of
112.Dv AUC_AUDITING ,
113.Dv AUC_NOAUDIT ,
114or
115.Dv AUC_DISABLED .
116.It Dv A_SETCLASS
117Set the event class preselection mask for an audit event.
129audit condition, one of
130.Dv AUC_AUDITING ,
131.Dv AUC_NOAUDIT ,
132or
133.Dv AUC_DISABLED .
134.It Dv A_SETCLASS
135Set the event class preselection mask for an audit event.
118.Ft *data
136The
137.Fa data
138argument
119must point to a
139must point to a
120.Ft au_evclass_map_t
140.Vt au_evclass_map_t
121structure containing the audit event and mask.
122.It Dv A_SETPMASK
123Set the preselection masks for a process.
141structure containing the audit event and mask.
142.It Dv A_SETPMASK
143Set the preselection masks for a process.
124.Ft *data
144The
145.Fa data
146argument
125must point to a
147must point to a
126.Ft auditpinfo_t
127structure that contains the given process's audit
148.Vt auditpinfo_t
149structure that contains the given process's audit
128preselection masks for both success and failure.
129.It Dv A_SETFSIZE
130Set the maximum size of the audit log file.
150preselection masks for both success and failure.
151.It Dv A_SETFSIZE
152Set the maximum size of the audit log file.
131.Ft *data
153The
154.Fa data
155argument
132must point to a
156must point to a
133.Ft au_fstat_t
157.Vt au_fstat_t
134structure with the
158structure with the
135.Ft af_filesz
136field set to the maximum audit log file size. A value of 0
159.Va af_filesz
160field set to the maximum audit log file size.
161A value of 0
137indicates no limit to the size.
138.It Dv A_SETKAUDIT
139Return
140.Er ENOSYS .
141.It Dv A_GETCLASS
142Return the event to class mapping for the designated audit event.
162indicates no limit to the size.
163.It Dv A_SETKAUDIT
164Return
165.Er ENOSYS .
166.It Dv A_GETCLASS
167Return the event to class mapping for the designated audit event.
143.Ft *data
144must point to a
145.Ft au_evclass_map_t
168The
169.Fa data
170argument
171must point to a
172.Vt au_evclass_map_t
146structure.
147.It Dv A_GETKAUDIT
148Return
149.Er ENOSYS .
150.It Dv A_GETPINFO
151Return the audit settings for a process.
173structure.
174.It Dv A_GETKAUDIT
175Return
176.Er ENOSYS .
177.It Dv A_GETPINFO
178Return the audit settings for a process.
152.Ft *data
179The
180.Fa data
181argument
153must point to a
182must point to a
154.Ft auditpinfo_t
183.Vt auditpinfo_t
155structure which will be set to contain
156the audit ID, preselection mask, terminal ID, and audit session
157ID of the given process.
158.It Dv A_GETPINFO_ADDR
159Return
160.Er ENOSYS .
161.It Dv A_GETKMASK
162Return the current kernel preselection masks.
184structure which will be set to contain
185the audit ID, preselection mask, terminal ID, and audit session
186ID of the given process.
187.It Dv A_GETPINFO_ADDR
188Return
189.Er ENOSYS .
190.It Dv A_GETKMASK
191Return the current kernel preselection masks.
163.Ft *data
192The
193.Fa data
194argument
164must point to a
195must point to a
165.Ft au_mask_t
166structure which will be set to
196.Vt au_mask_t
197structure which will be set to
167the current kernel preselection masks for non-attributable events.
168.It Dv A_GETPOLICY
169Return the current audit policy setting.
198the current kernel preselection masks for non-attributable events.
199.It Dv A_GETPOLICY
200Return the current audit policy setting.
170.Ft *data
171must point to a long value which will be set to
201The
202.Fa data
203argument
204must point to a
205.Vt long
206value which will be set to
172one of the current audit policy flags.
173Currently, only
174.Dv AUDIT_CNT
175and
176.Dv AUDIT_AHLT
177are implemented.
178.It Dv A_GETQCTRL
179Return the current kernel audit queue control parameters.
207one of the current audit policy flags.
208Currently, only
209.Dv AUDIT_CNT
210and
211.Dv AUDIT_AHLT
212are implemented.
213.It Dv A_GETQCTRL
214Return the current kernel audit queue control parameters.
180.Ft *data
181must point to a
182.Ft au_qctrl_t
215The
216.Fa data
217argument
218must point to a
219.Vt au_qctrl_t
183structure which will be set to the current
184kernel audit queue control parameters.
185.It Dv A_GETFSIZE
186Returns the maximum size of the audit log file.
220structure which will be set to the current
221kernel audit queue control parameters.
222.It Dv A_GETFSIZE
223Returns the maximum size of the audit log file.
187.Ft *data
224The
225.Fa data
226argument
188must point to a
227must point to a
189.Ft au_fstat_t
190structure. The
191.Ft af_filesz
228.Vt au_fstat_t
229structure.
230The
231.Va af_filesz
192field will be set to the maximum audit log file size.
193A value of 0 indicates no limit to the size.
194The
232field will be set to the maximum audit log file size.
233A value of 0 indicates no limit to the size.
234The
195.Ft af_currsz
235.Va af_currsz
236field
196will be set to the current audit log file size.
197.It Dv A_GETCWD
198.\" [COMMENTED OUT]: Valid description, not yet implemented.
199.\" Return the current working directory as stored in the audit subsystem.
200Return
201.Er ENOSYS .
202.It Dv A_GETCAR
203.\" [COMMENTED OUT]: Valid description, not yet implemented.
204.\"Stores and returns the current active root as stored in the audit
205.\"subsystem.
206Return
207.Er ENOSYS .
208.It Dv A_GETSTAT
209.\" [COMMENTED OUT]: Valid description, not yet implemented.
210.\"Return the statistics stored in the audit system.
211Return
212.Er ENOSYS .
213.It Dv A_GETCOND
214Return the current auditing condition.
237will be set to the current audit log file size.
238.It Dv A_GETCWD
239.\" [COMMENTED OUT]: Valid description, not yet implemented.
240.\" Return the current working directory as stored in the audit subsystem.
241Return
242.Er ENOSYS .
243.It Dv A_GETCAR
244.\" [COMMENTED OUT]: Valid description, not yet implemented.
245.\"Stores and returns the current active root as stored in the audit
246.\"subsystem.
247Return
248.Er ENOSYS .
249.It Dv A_GETSTAT
250.\" [COMMENTED OUT]: Valid description, not yet implemented.
251.\"Return the statistics stored in the audit system.
252Return
253.Er ENOSYS .
254.It Dv A_GETCOND
255Return the current auditing condition.
215.Ft *data
216must point to a long value which will be set to
256The
257.Fa data
258argument
259must point to a
260.Vt long
261value which will be set to
217the current audit condition, either
218.Dv AUC_AUDITING
219or
220.Dv AUC_NOAUDIT .
221.It Dv A_SENDTRIGGER
222Send a trigger to the audit daemon.
262the current audit condition, either
263.Dv AUC_AUDITING
264or
265.Dv AUC_NOAUDIT .
266.It Dv A_SENDTRIGGER
267Send a trigger to the audit daemon.
223.Fr *data
224must point to a long value set to one of the acceptable
268The
269.Fa data
270argument
271must point to a
272.Vt long
273value set to one of the acceptable
225trigger values:
226.Dv AUDIT_TRIGGER_LOW_SPACE
227(low disk space where the audit log resides),
228.Dv AUDIT_TRIGGER_OPEN_NEW
229(open a new audit log file),
230.Dv AUDIT_TRIGGER_READ_FILE
231(read the
232.Pa audit_control

--- 26 unchanged lines hidden (view full) ---

259The
260.Dv A_SENDTRIGGER
261command is specific to the
262.Fx
263and Mac OS X implementations, and is not present in Solaris.
264.Sh SEE ALSO
265.Xr audit 2 ,
266.Xr auditctl 2 ,
274trigger values:
275.Dv AUDIT_TRIGGER_LOW_SPACE
276(low disk space where the audit log resides),
277.Dv AUDIT_TRIGGER_OPEN_NEW
278(open a new audit log file),
279.Dv AUDIT_TRIGGER_READ_FILE
280(read the
281.Pa audit_control

--- 26 unchanged lines hidden (view full) ---

308The
309.Dv A_SENDTRIGGER
310command is specific to the
311.Fx
312and Mac OS X implementations, and is not present in Solaris.
313.Sh SEE ALSO
314.Xr audit 2 ,
315.Xr auditctl 2 ,
267.Xr getauid 2 ,
268.Xr setauid 2 ,
269.Xr getaudit 2 ,
316.Xr getaudit 2 ,
270.Xr setaudit 2 ,
271.Xr getaudit_addr 2 ,
317.Xr getaudit_addr 2 ,
318.Xr getauid 2 ,
319.Xr setaudit 2 ,
272.Xr setaudit_addr 2 ,
320.Xr setaudit_addr 2 ,
321.Xr setauid 2 ,
273.Xr libbsm 3
322.Xr libbsm 3
323.Sh HISTORY
324The OpenBSM implementation was created by McAfee Research, the security
325division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
326It was subsequently adopted by the TrustedBSD Project as the foundation for
327the OpenBSM distribution.
274.Sh AUTHORS
328.Sh AUTHORS
329.An -nosplit
275This software was created by McAfee Research, the security research division
276of McAfee, Inc., under contract to Apple Computer Inc.
330This software was created by McAfee Research, the security research division
331of McAfee, Inc., under contract to Apple Computer Inc.
277Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
332Additional authors include
333.An Wayne Salamon ,
334.An Robert Watson ,
335and SPARTA Inc.
278.Pp
279The Basic Security Module (BSM) interface to audit records and audit event
280stream format were defined by Sun Microsystems.
281.Pp
282This manual page was written by
283.An Tom Rhodes Aq trhodes@FreeBSD.org ,
284.An Robert Watson Aq rwatson@FreeBSD.org ,
285and
286.An Wayne Salamon Aq wsalamon@FreeBSD.org .
336.Pp
337The Basic Security Module (BSM) interface to audit records and audit event
338stream format were defined by Sun Microsystems.
339.Pp
340This manual page was written by
341.An Tom Rhodes Aq trhodes@FreeBSD.org ,
342.An Robert Watson Aq rwatson@FreeBSD.org ,
343and
344.An Wayne Salamon Aq wsalamon@FreeBSD.org .
287.Sh HISTORY
288The OpenBSM implementation was created by McAfee Research, the security
289division of McAfee Inc., under contract to Apple Computer Inc. in 2003.
290It was subsequently adopted by the TrustedBSD Project as the foundation for
291the OpenBSM distribution.