Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
audcntl(2)							    audcntl(2)

Name
       audcntl - audit control

Syntax
       #include	<sys/audit.h>

       audcntl(request,	argp, len, flag, audit_id)
       int request;
       char *argp;
       int len;
       int flag;
       audit_ID_t audit_id;

Description
       The system call provides	control	over options offered by	the audit sub-
       system. All requests, except where  noted  otherwise,  are  privileged.
       The following list describes the	requests:

       GET_SYS_AMASK and SET_SYS_AMASK
	      The  system auditmask determines which system events are logged.
	      GET_SYS_AMASK copies the system auditmask	into a buffer  pointed
	      at  by  argp.   SET_SYS_AMASK copies from	a buffer pointed at by
	      argp into	 the  system  auditmask.   Each	 of  these  operations
	      returns  the  number  of	bytes  transferred  between the	user's
	      buffer and the auditmask.	 Len is	the size of the	user's buffer.
	      The  amount  of  data moved between the auditmask	and the	user's
	      buffer is	the smaller of the auditmask size and the buffer size.

       GET_TRUSTED_AMASK and SET_TRUSTED_AMASK
	      The  trusted  auditmask  determines  which  trusted  events  are
	      logged.  GET_TRUSTED_AMASK copies	the trusted auditmask  into  a
	      buffer  pointed  at  by  argp.   SET_TRUSTED_AMASK copies	from a
	      buffer pointed at	by argp	into the trusted  auditmask.  Each  of
	      these operations returns the number of bytes transferred between
	      the user's buffer	and the	auditmask.  Len	is  the	 size  of  the
	      user's  buffer.	The amount of data moved between the auditmask
	      and the user's buffer is the smaller of the auditmask  size  and
	      the buffer size.

       GET_PROC_AMASK and SET_PROC_AMASK
	      The  process  auditmask determines (along	with the system	masks)
	      which system events and trusted events are logged	for  the  cur-
	      rent  process.  GET_PROC_AMASK copies the	process	auditmask into
	      a	buffer pointed at by argp.  The	size of	the process  auditmask
	      is  SYSCALL_MASK_LEN+TRUSTED_MASK_LEN,  and  contains  a syscall
	      mask followed by a trusted event	mask.	SET_PROC_AMASK	copies
	      the  values  from	 a  buffer pointed at by argp into the process
	      auditmask. Each of these operations returns the number of	 bytes
	      transferred between the user's buffer and	the auditmask.	Len is
	      the size of the user's buffer. The amount	of data	moved  between
	      the auditmask and	the user's buffer is the smaller of the	audit-
	      mask size	and the	buffer size.

       GET_PROC_ACNTL and SET_PROC_ACNTL
	      GET_PROC_ACNTL returns the  audit	 control  flags	 (the  audcntl
	      byte) of the current process (see	).  Audit control flags	deter-
	      mine whether auditing for	the process is on or off, and  if  on,
	      how the auditmasks are combined.	A value	of AUDIT_OFF indicates
	      audit is off for that process.  A	value of AUDIT_AND or AUDIT_OR
	      indicates	 the  process  auditmask  is logically AND'ed or OR'ed
	      with the system auditmask.  A value of AUDIT_USR	indicates  the
	      process auditmask	is used	for that process; the system auditmask
	      is ignored.  SET_PROC_ACNTL assigns the values of	the audit con-
	      trol  flags  from	 flag  and  returns the	previous values	of the
	      flags.

       GET_AUDSWITCH and SET_AUDSWITCH
	      GET_AUDSWITCH returns the	value of the system audit  switch.   A
	      return  value  of	1 indicates auditing is	turned on.  A value of
	      zero indicates auditing is turned	 off.	SET_AUDSWITCH  assigns
	      the  value  of  flag  to the system audit	switch and returns the
	      previous audit switch value.  A value of 1 turns auditing	on.  A
	      value of zero turns auditing off.

       FLUSH_AUD_BUF
	      Flushes the kernel audit buffer out to

       GETPAID and SETPAID
	      GETPAID  returns	the audit ID of	the calling process.  The GET-
	      PAID request does	not require privilege.	 SETPAID  assigns  the
	      value of audit_id	to the process audit ID.  SETPAID is effective
	      only if audit_id is greater than 0.

       GET_AUDSTYLE and	SET_AUDSTYLE
	      The system auditing style	supports two options  to  control  how
	      much  additional	information  is	 recorded  on exec operations.
	      GET_AUDSTYLE returns the current value of	 the  system  audstyle
	      flag.   SET_AUDSTYLE  sets the system audstyle flag to the value
	      of flag, and returns the previous	value of the audstyle flag.  A
	      flag value of AUD_EXEC_ARGP enables the auditing of the argument
	      list  to	an  execv  or  execve  syscall.	  A  flag   value   of
	      AUD_EXEC_ENVP enables the	auditing of the	environment strings to
	      an execv or execve syscall.  Flag	values may be OR'ed  together.

Return Values
       The  values  returned  for  successful  calls  can  be  found under the
       description of the specific call	request.

       If a call fails,	a -1 is	returned.

Diagnostics
       The call	fails under the	following conditions:

       [EFAULT]	      The argp argument	contains an invalid address.

       [EACCES]	      The user does not	have the privileges needed to  perform
		      this operation.

       [EINVAL]	      The  value of the	len or request or audit_id argument is
		      invalid.

       [EPERM]	      The user is not privileged to get	or set the  audit  ID,
		      or  the  user  attempted to get the audit	ID when	it was
		      not set.

       [EOPNOTSUPP]   The request argument contains an unsupported  operation.

See Also
       Security	Guide for Administrators
	Guide to Languages and Programming

								    audcntl(2)

Name | Syntax | Description | Return Values | Diagnostics | See Also

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=audcntl&sektion=2&manpath=ULTRIX+4.2>

home | help