AUDITON(2) FreeBSD System Calls Manual AUDITON(2)
NAME
auditon - configure system audit parameters
SYNOPSIS
#include <bsm/audit.h>
int
auditon(int cmd, void *data, u_int length);
DESCRIPTION
The auditon() system call is used to manipulate various audit control
operations. The data argument should point to a structure whose type
depends on the command. The length argument specifies the size of *data
in bytes. The cmd argument may be any of the following:
A_SETPOLICY Set audit policy flags. The data argument must
point to a int value set to one or more the
following audit policy control values bitwise
OR'ed together: AUDIT_CNT, AUDIT_AHLT,
AUDIT_ARGV, and AUDIT_ARGE. If AUDIT_CNT is set,
the system will continue even if it becomes low
on space and discontinue logging events until the
low space condition is remedied. If it is not
set, audited events will block until the low
space condition is remedied. Unaudited events,
however, are unaffected. If AUDIT_AHLT is set, a
panic(9) if it cannot write an event to the
global audit log file. If AUDIT_ARGV is set,
then the argument list passed to the execve(2)
system call will be audited. If AUDIT_ARGE is
set, then the environment variables passed to the
execve(2) system call will be audited. The
default policy is none of the audit policy
control flags set.
A_SETKAUDIT Set the host information. The data argument must
point to a auditinfo_addr_t structure containing
the host IP address information. After setting,
audit records that are created as a result of
kernel events will contain this information.
A_SETKMASK Set the kernel preselection masks (success and
failure). The data argument must point to a
au_mask_t structure containing the mask values as
defined in <bsm/audit.h>. These masks are used
for non-attributable audit event preselection.
The field am_success specifies which classes of
successful audit events are to be logged to the
audit trail. The field am_failure specifies
which classes of failed audit events are to be
logged. The value of both fields is the bitwise
OR'ing of the audit event classes specified in
bsm/audit.h. The various audit classes are
described more fully in audit_class(5).
A_SETQCTRL Set kernel audit queue parameters. The data
argument must point to a au_qctrl_t structure
(defined in <bsm/audit.h>) containing the kernel
audit queue control settings: aq_hiwater,
aq_lowater, aq_bufsz, aq_delay, and aq_minfree.
The field aq_hiwater defines the maximum number
of audit record entries in the queue used to
store the audit records ready for delivery to
disk. New records are inserted at the tail of
the queue and removed from the head. For new
records which would exceed the high water mark,
the calling thread is inserted into the wait
queue, waiting for the audit queue to have enough
space available as defined with the field
aq_lowater. The field aq_bufsz defines the
maximum length of the audit record that can be
supplied with audit(2). The field aq_delay is
unused. The field aq_minfree specifies the
minimum amount of free blocks on the disk device
used to store audit records. If the value of
free blocks falls below the configured minimum
amount, the kernel informs the audit daemon about
low disk space. The value is to be specified in
percent of free file system blocks. A value of 0
results in a disabling of the check. The default
and maximum values (default/maximum) for the
audit queue control parameters are:
aq_hiwater 100/10000 (audit records)
aq_lowater 10/aq_hiwater (audit records)
aq_bufsz 32767/1048576 (bytes)
aq_delay (Not currently used.)
A_SETSTAT Return ENOSYS. (Not implemented.)
A_SETUMASK Return ENOSYS. (Not implemented.)
A_SETSMASK Return ENOSYS. (Not implemented.)
A_SETCOND Set the current auditing condition. The data
argument must point to a int value containing the
new audit condition, one of AUC_AUDITING,
AUC_NOAUDIT, or AUC_DISABLED. If AUC_NOAUDIT is
set, then auditing is temporarily suspended. If
AUC_AUDITING is set, auditing is resumed. If
AUC_DISABLED is set, the auditing system will
shutdown, draining all audit records and closing
out the audit trail file.
A_SETCLASS Set the event class preselection mask for an
audit event. The data argument must point to a
au_evclass_map_t structure containing the audit
event and mask. The field ec_number is the audit
event and ec_class is the audit class mask. See
audit_event(5) for more information on audit
event to class mapping.
A_SETPMASK Set the preselection masks for a process. The
data argument must point to a auditpinfo_t
structure that contains the given process's audit
preselection masks for both success and failure.
The field ap_pid is the process id of the target
process. The field ap_mask must point to a
au_mask_t structure which holds the preselection
masks as described in the A_SETKMASK section
above.
A_SETFSIZE Set the maximum size of the audit log file. The
data argument must point to a au_fstat_t
structure with the af_filesz field set to the
maximum audit log file size. A value of 0
indicates no limit to the size.
A_GETCLASS Return the event to class mapping for the
designated audit event. The data argument must
point to a au_evclass_map_t structure. See the
A_SETCLASS section above for more information.
A_GETKAUDIT Get the current host information. The data
argument must point to a auditinfo_addr_t
structure.
A_GETPINFO Return the audit settings for a process. The
data argument must point to a auditpinfo_t
structure which will be set to contain ap_auid
(the audit ID), ap_mask (the preselection mask),
ap_termid (the terminal ID), and ap_asid (the
audit session ID) of the given target process.
The process ID of the target process is passed
into the kernel using the ap_pid field. See the
section A_SETPMASK above and getaudit(2) for more
information.
A_GETPINFO_ADDR Return the extended audit settings for a process.
The data argument must point to a
auditpinfo_addr_t structure which is similar to
the auditpinfo_t structure described above. The
exception is the ap_termid (the terminal ID)
field which points to a au_tid_addr_t structure
can hold much a larger terminal address and an
address type. The process ID of the target
process is passed into the kernel using the
ap_pid field. See the section A_SETPMASK above
and getaudit(2) for more information.
A_GETSINFO_ADDR Return the extended audit settings for a session.
The data argument must point to a
auditinfo_addr_t structure. The audit session ID
of the target session is passed into the kernel
using the ai_asid field. See getaudit_addr(2)
for more information about the auditinfo_addr_t
structure.
A_GETKMASK Return the current kernel preselection masks.
The data argument must point to a au_mask_t
structure which will be set to the current kernel
preselection masks for non-attributable events.
A_GETPOLICY Return the current audit policy setting. The
data argument must point to a int value which
will be set to one of the current audit policy
flags. The audit policy flags are described in
the A_SETPOLICY section above.
A_GETQCTRL Return the current kernel audit queue control
parameters. The data argument must point to a
au_qctrl_t structure which will be set to the
current kernel audit queue control parameters.
See the A_SETQCTL section above for more
information.
A_GETFSIZE Returns the maximum size of the audit log file.
The data argument must point to a au_fstat_t
structure. The af_filesz field will be set to
the maximum audit log file size. A value of 0
indicates no limit to the size. The af_currsz
field will be set to the current audit log file
size.
A_GETCWD Return ENOSYS. (Not implemented.)
A_GETCAR Return ENOSYS. (Not implemented.)
A_GETSTAT Return ENOSYS. (Not implemented.)
A_GETCOND Return the current auditing condition. The data
argument must point to a int value which will be
set to the current audit condition, one of
AUC_AUDITING, AUC_NOAUDIT or AUC_DISABLED. See
the A_SETCOND section above for more information.
A_SENDTRIGGER Send a trigger to the audit daemon. The data
argument must point to a int value set to one of
the acceptable trigger values:
AUDIT_TRIGGER_LOW_SPACE (low disk space where the
audit log resides), AUDIT_TRIGGER_OPEN_NEW (open
a new audit log file), AUDIT_TRIGGER_READ_FILE
(read the audit_control file),
AUDIT_TRIGGER_CLOSE_AND_DIE (close the current
log file and exit), AUDIT_TRIGGER_NO_SPACE (no
disk space left for audit log file).
AUDIT_TRIGGER_ROTATE_USER (request audit log file
rotation). AUDIT_TRIGGER_INITIALIZE (initialize
audit subsystem for Mac OS X only). or
AUDIT_TRIGGER_EXPIRE_TRAILS (request audit log
file expiration).
RETURN VALUES
Upon successful completion, the value 0 is returned; otherwise the
value -1 is returned and the global variable errno is set to indicate the
error.
ERRORS
The auditon() function will fail if:
[ENOSYS] Returned by options not yet implemented.
[EFAULT] A failure occurred while data transferred to or from
the kernel failed.
[EINVAL] Illegal argument was passed by a system call.
[EPERM] The process does not have sufficient permission to
complete the operation.
The A_SENDTRIGGER command is specific to the FreeBSD and Mac OS X
implementations, and is not present in Solaris.
SEE ALSO
audit(2), auditctl(2), getaudit(2), getaudit_addr(2), getauid(2),
setaudit(2), setaudit_addr(2), setauid(2), libbsm(3)
HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation
for the OpenBSM distribution.
AUTHORS
This software was created by McAfee Research, the security research
division of McAfee, Inc., under contract to Apple Computer Inc.
Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
The Basic Security Module (BSM) interface to audit records and audit
event stream format were defined by Sun Microsystems.
This manual page was written by Tom Rhodes <trhodes@FreeBSD.org>, Robert
Watson <rwatson@FreeBSD.org>, and Wayne Salamon <wsalamon@FreeBSD.org>.
FreeBSD 13.1-RELEASE-p6 April 7, 2016 FreeBSD 13.1-RELEASE-p6
man2web Home...