AUDITON(2) | System Calls Manual | AUDITON(2) |
auditon
—
configure system audit parameters
#include
<bsm/audit.h>
int
auditon
(int
cmd, void *data,
u_int length);
The
auditon
()
system call is used to manipulate various audit control operations. The
data argument should point to a structure whose type
depends on the command. The length argument specifies
the size of *data in bytes. The
cmd argument may be any of the following:
A_SETPOLICY
AUDIT_CNT
, AUDIT_AHLT
,
AUDIT_ARGV
, and
AUDIT_ARGE
. If AUDIT_CNT is set,
the system will continue even if it becomes low
on space and
discontinue logging events until the low space condition is remedied. If
it is not set, audited events will block until the low space condition is
remedied. Unaudited events, however, are unaffected. If
AUDIT_AHLT is set, a
panic(9) if
it cannot write an event to the global audit log file. If
AUDIT_ARGV
is set, then the argument list passed
to the execve(2) system call will be audited. If
AUDIT_ARGE
is set, then the environment variables
passed to the execve(2) system call will be audited. The
default policy is none of the audit policy control flags set.A_SETKAUDIT
A_SETKMASK
<bsm/audit.h>
.
These masks are used for non-attributable audit event preselection. The
field am_success specifies which classes of
successful audit events are to be logged to the audit trail. The field
am_failure specifies which classes of failed audit
events are to be logged. The value of both fields is the bitwise OR'ing of
the audit event classes specified in bsm/audit.h.
The various audit classes are described more fully in
audit_class(5).A_SETQCTRL
<bsm/audit.h>
) containing
the kernel audit queue control settings: aq_hiwater,
aq_lowater, aq_bufsz,
aq_delay, and aq_minfree. The
field aq_hiwater defines the maximum number of audit
record entries in the queue used to store the audit records ready for
delivery to disk. New records are inserted at the tail of the queue and
removed from the head. For new records which would exceed the high water
mark, the calling thread is inserted into the wait queue, waiting for the
audit queue to have enough space available as defined with the field
aq_lowater. The field aq_bufsz
defines the maximum length of the audit record that can be supplied with
audit(2). The field aq_delay is
unused. The field aq_minfree specifies the minimum
amount of free blocks on the disk device used to store audit records. If
the value of free blocks falls below the configured minimum amount, the
kernel informs the audit daemon about low disk space. The value is to be
specified in percent of free file system blocks. A value of 0 results in a
disabling of the check. The default and maximum values (default/maximum)
for the audit queue control parameters are:
aq_hiwater | 100/10000 (audit records) |
aq_lowater | 10/aq_hiwater (audit records) |
aq_bufsz | 32767/1048576 (bytes) |
aq_delay | (Not currently used.) |
A_SETSTAT
ENOSYS
. (Not implemented.)A_SETUMASK
ENOSYS
. (Not implemented.)A_SETSMASK
ENOSYS
. (Not implemented.)A_SETCOND
AUC_AUDITING
,
AUC_NOAUDIT
, or
AUC_DISABLED
. If
AUC_NOAUDIT
is set, then auditing is temporarily
suspended. If AUC_AUDITING
is set, auditing is
resumed. If AUC_DISABLED
is set, the auditing
system will shutdown, draining all audit records and closing out the audit
trail file.A_SETCLASS
A_SETPMASK
A_SETKMASK
section
above.A_SETFSIZE
A_SETSFLAGS
A_GETCLASS
A_SETCLASS
section above for more
information.A_GETKAUDIT
A_GETPINFO
A_SETPMASK
above and getaudit(2)
for more information.A_GETPINFO_ADDR
A_SETPMASK
above and getaudit(2)
for more information.A_GETSINFO_ADDR
A_GETKMASK
A_GETPOLICY
A_SETPOLICY
section above.A_GETQCTRL
A_SETQCTL
section above for more information.A_GETFSIZE
A_GETSFLAGS
A_GETCWD
ENOSYS
. (Not implemented.)A_GETCAR
ENOSYS
. (Not implemented.)A_GETSTAT
ENOSYS
. (Not implemented.)A_GETCOND
AUC_AUDITING
, AUC_NOAUDIT
or AUC_DISABLED
. See the
A_SETCOND
section above for more information.A_SENDTRIGGER
AUDIT_TRIGGER_LOW_SPACE
(low disk space where the audit log resides),
AUDIT_TRIGGER_OPEN_NEW
(open a new audit log
file), AUDIT_TRIGGER_READ_FILE
(read the
audit_control file),
AUDIT_TRIGGER_CLOSE_AND_DIE
(close the current log
file and exit), AUDIT_TRIGGER_NO_SPACE
(no disk
space left for audit log file).
AUDIT_TRIGGER_ROTATE_USER
(request audit log file
rotation). AUDIT_TRIGGER_INITIALIZE
(initialize
audit subsystem for Mac OS X only). or
AUDIT_TRIGGER_EXPIRE_TRAILS
(request audit log
file expiration).Upon successful completion, the value 0 is returned; otherwise the value -1 is returned and the global variable errno is set to indicate the error.
The auditon
() function will fail if:
ENOSYS
]EFAULT
]EINVAL
]EPERM
]The A_SENDTRIGGER
command is specific to
the FreeBSD and Mac OS X implementations, and is not
present in Solaris.
audit(2), auditctl(2), getaudit(2), getaudit_addr(2), getauid(2), setaudit(2), setaudit_addr(2), setauid(2), libbsm(3)
The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer Inc. in 2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution.
This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems.
This manual page was written by Tom Rhodes ⟨trhodes@FreeBSD.org⟩, Robert Watson ⟨rwatson@FreeBSD.org⟩, and Wayne Salamon ⟨wsalamon@FreeBSD.org⟩.
January 29, 2009 | Mac OS X 12 |