Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
auditconfig(1M)		System Administration Commands	       auditconfig(1M)

NAME
       auditconfig - configure auditing

SYNOPSIS
       auditconfig option...

DESCRIPTION
       auditconfig provides a command line interface to	get and	set kernel au-
       dit parameters.

       This functionality is available only if the Basic Security Module (BSM)
       has been	enabled. See bsmconv(1M) for more information.

       The  setting  of	 the  perzone policy determines	the scope of the audit
       setting controlled by auditconfig. If perzone is	set, then  the	values
       reflect the local zone except as	noted. Otherwise, the settings are for
       the entire system. Any restriction based	 on  the  perzone  setting  is
       noted for each option to	which it applies.

OPTIONS
       -aconf

	   Set the non-attributable audit mask from the	audit_control(4) file.
	   For example:

	   # auditconfig -aconf
	   Configured non-attributable events.

       -audit event sorf retval	string

	   This	command	constructs an audit record for audit event event using
	   the process's audit characteristics containing a text token string.
	   The return token is	constructed  from  the	sorf  (success/failure
	   flag)  and  the retval (return value). The event is type char*, the
	   sorf	is 0/1 for success/failure, retval is an errno	value,	string
	   is  type  *char.  This  command is useful for constructing an audit
	   record with a shell script. An example of this option:

	   # auditconfig -audit	AUE_ftpd 0 0 "test string"
	   #

	   audit record	from audit trail:
	       header,76,2,ftp access,,Fri Dec 08 08:44:02 2000, + 669 msec
	       subject,abc,root,other,root,other,104449,102336,235 197121 elbow
	       text,test string
	       return,success,0

       -chkaconf

	   Checks the configuration of the non-attributable events set in  the
	   kernel  against  the	 entries  in  audit_control(4).	If the runtime
	   class mask of a kernel audit	event does not	match  the  configured
	   class mask, a mismatch is reported.

       -chkconf

	   Check the configuration of kernel audit event to class mappings. If
	   the runtime class mask of a kernel audit event does not  match  the
	   configured class mask, a mismatch is	reported.

       -conf

	   Configure  kernel audit event to class mappings. Runtime class map-
	   pings are changed to	match those in the audit event to class	 data-
	   base	file.

       -getasid

	   Prints the audit session ID of the current process. For example:

	   # auditconfig -getasid
	   audit session id = 102336

       -getaudit

	   Returns the audit characteristics of	the current process.

	   # auditconfig -getaudit
	   audit id = abc(666)
	   process preselection	mask = lo(0x1000,0x1000)
	   terminal id (maj,min,host) =	235,197121,elbow(172.146.89.77)
	   audit session id = 102336

       -getauid

	   Prints the audit ID of the current process. For example:

	   # auditconfig -getauid
	   audit id = abc(666)

       -getcar

	   Prints  current  active root	location (anchored from	root [or local
	   zone	root] at system	boot). For example:

	   # auditconfig -getcar
	   current active root = /

       -getclass event

	   Display the preselection mask associated with the specified	kernel
	   audit event.	event is the kernel event number or event name.

       -getcond

	   Display  the	kernel audit condition.	The condition displayed	is the
	   literal string auditing meaning auditing is enabled and  turned  on
	   (the	  kernel  audit	 module	 is  constructing  and	queuing	 audit
	   records); noaudit, meaning auditing is enabled but turned off  (the
	   kernel audit	module is not constructing and queuing audit records);
	   disabled, meaning that the audit module has not  been  enabled;  or
	   nospace,  meaning  there  is	no space for saving audit records. See
	   auditon(2) and auditd(1M) for further information.

       -getestate event

	   For the specified event (string or event number), print out classes
	   event has been assigned. For	example:

	   # auditconfig -getestate 20
	   audit class mask for	event AUE_REBOOT(20) = 0x800
	   # auditconfig -getestate AUE_RENAME
	   audit class mask for	event AUE_RENAME(42) = 0x30

       -getfsize

	   Return the maximum audit file size in bytes and the current size of
	   the audit file in bytes.

       -getkaudit

	   Get audit characteristics of	the current zone. For example:

	   # auditconfig -getkaudit
	   audit id = unknown(-2)
	   process preselection	mask = lo,na(0x1400,0x1400)
	   terminal id (maj,min,host) =	0,0,(0.0.0.0)
	   audit session id = 0

	   If the audit	policy perzone is not set, the terminal	id is that  of
	   the	global	zone.  Otherwise,  it  is the terminal id of the local
	   zone.

       -getkmask

	   Get non-attributable	pre-selection mask for the current  zone.  For
	   example:

	   # auditconfig -getkmask
	   audit flags for non-attributable events = lo,na(0x1400,0x1400)

	   If  the audit policy	perzone	is not set, the	kernel mask is that of
	   the global zone. Otherwise, it is that of the local zone.

       -getpinfo pid

	   Display the audit ID, preselection mask,  terminal  ID,  and	 audit
	   session ID for the specified	process.

       -getpolicy

	   Display  the	kernel audit policy. The ahlt and perzone policies re-
	   flect the settings from the global zone. If	perzone	 is  set,  all
	   other  policies  reflect  the local zone's settings.	 If perzone is
	   not set, the	policies are machine-wide.

       -getcwd

	   Prints current working directory (anchored from zone	root at	system
	   boot). For example:

	   # cd	/usr/tmp
	   # auditconfig -getcwd
	   current working directory = /var/tmp

       -getqbufsz

	   Get audit queue write buffer	size. For example:

	   # auditconfig -getqbufsz
		   audit queue buffer size (bytes) = 1024

       -getqctrl

	   Get	audit queue write buffer size, audit queue hiwater mark, audit
	   queue lowater mark, audit queue prod	interval (ticks).

	   # auditconfig -getqctrl
	   audit queue hiwater mark (records) =	100
	   audit queue lowater mark (records) =	10
	   audit queue buffer size (bytes) = 1024
	   audit queue delay (ticks) = 20

       -getqdelay

	   Get interval	at which audit queue is	prodded	to start  output.  For
	   example:

	   # auditconfig -getqdelay
	   audit queue delay (ticks) = 20

       -getqhiwater

	   Get high water point	in undelivered audit records when audit	gener-
	   ation will block. For example:

	   # ./auditconfig -getqhiwater
	   audit queue hiwater mark (records) =	100

       -getqlowater

	   Get low water point in undelivered audit records where blocked pro-
	   cesses will resume. For example:

	   # auditconfig -getqlowater
	   audit queue lowater mark (records) =	10

       -getstat

	   Print current audit statistics information. For example:

	   # auditconfig -getstat
	   gen nona kern  aud  ctl  enq	wrtn wblk rblk drop  tot  mem
	   910	  1  725  184	 0  910	 910	0  231	  0   88   48

       -gettid

	   Print audit terminal	ID for current process.	For example:

	   # auditconfig -gettid
	   terminal id (maj,min,host) =	235,197121,elbow(172.146.89.77)

       -lsevent

	   Display  the	 currently  configured (runtime) kernel	and user level
	   audit event information.

       -lspolicy

	   Display the kernel audit policies with a description	of  each  pol-
	   icy.

       -setasid	session-ID [cmd]

	   Execute shell or cmd	with specified session-ID. For example:

	   # ./auditconfig -setasid 2000 /bin/ksh
	   #
	   # ./auditconfig -getpinfo 104485
	   audit id = abc(666)
	   process preselection	mask = lo(0x1000,0x1000)
	   terminal id (maj,min,host) =	235,197121,elbow(172.146.89.77)
	   audit session id = 2000

       -setaudit audit-ID preselect_flags term-ID session-ID [cmd]

	   Execute shell or cmd	with the specified audit characteristics.

       -setauid	audit-ID [cmd]

	   Execute shell or cmd	with the specified audit-ID.

       -setclass event audit_flag[,audit_flag ...]

	   Map the kernel event	event to the classes specified by audit_flags.
	   event is an event number or name. An	audit_flag is a	two  character
	   string  representing	 an audit class. See audit_control(4) for fur-
	   ther	information. If	perzone	is not set, this option	is valid  only
	   in the global zone.

       -setfsize size

	   Set	the maximum size of an audit file to size bytes. When the size
	   limit is reached, the audit file is closed and another is started.

	   If perzone is not set, this option is  valid	 only  in  the	global
	   zone.

       -setkaudit IP-address_type IP_address

	   Set	IP  address of machine to specified values. IP-address_type is
	   ipv6	or ipv4.

	   If perzone is not set, this option is  valid	 only  in  the	global
	   zone.

       -setkmask audit_flags

	   Set non-attributes selection	flags of machine.

	   If  perzone	is  not	 set,  this option is valid only in the	global
	   zone.

       -setpmask pid flags

	   Set the preselection	mask of	the specified process.	flags  is  the
	   ASCII  representation  of  the  flags similar to that in audit_con-
	   trol(4).

	   If perzone is not set, this option is  valid	 only  in  the	global
	   zone.

       -setpolicy [+|-]policy_flag[,policy_flag	...]

	   Set	the  kernel  audit  policy.  A	policy	policy_flag is literal
	   strings that	denotes	an audit policy. A prefix of + adds the	 poli-
	   cies	specified to the current audit policies. A prefix of - removes
	   the policies	specified from the current audit policies. No policies
	   can be set from a local zone	unless the perzone policy is first set
	   from	the global zone. The  following	 are  the  valid  policy  flag
	   strings  (auditconfig  -lspolicy also lists the current valid audit
	   policy flag strings):

	   all	    Include all	policies that apply to the current zone.

	   ahlt	    Halt the machine if	an  asynchronous  audit	 event	occurs
		    that  cannot  be  delivered	 because  the  audit queue has
		    reached the	high-water mark	or because there are  insuffi-
		    cient  resources to	construct an audit record. By default,
		    records are	dropped	and a count is kept of the  number  of
		    dropped records.

	   arge	    Include  the execv(2) system call environment arguments to
		    the	audit record. This information is not included by  de-
		    fault.

	   argv	    Include  the  execv(2)  system call	parameter arguments to
		    the	audit record. This information is not included by  de-
		    fault.

	   cnt	    Do	not  suspend  processes	 when  audit resources are ex-
		    hausted. Instead, drop audit records and keep a  count  of
		    the	 number	 of  records  dropped. By default, process are
		    suspended until audit resources become available.

	   group    Include the	supplementary group token in audit records. By
		    default, the group token is	not included.

	   none	    Include  no	 policies.  If	used  in other than the	global
		    zone, the ahlt and perzone policies	are not	changed.

	   path	    Add	secondary path tokens to audit record. These are typi-
		    cally the pathnames	of dynamically linked shared libraries
		    or command interpreters for	 shell	scripts.  By  default,
		    they are not included.

	   public   Audit  public  files. By default, read-type	operations are
		    not	audited	for certain files which	meet public character-
		    istics:  owned  by root, readable by all, and not writable
		    by all.

	   trail    Include the	trailer	token in every audit  record.  By  de-
		    fault, the trailer token is	not included.

	   seq	    Include  the sequence token	as part	of every audit record.
		    By default,	the sequence token is not  included.  The  se-
		    quence  token  attaches  a	sequence number	to every audit
		    record.

       zonename

	   Include the zonename	token as part of every audit  record.  By  de-
	   fault, the zonename token is	not included. The zonename token gives
	   the name of the zone	from which the audit record was	generated.

       perzone

	   Maintain separate configuration, queues, and	logs for each zone and
	   execute a separate version of auditd(1M) for	each zone.

       -setqbufsz buffer_size

	   Set the audit queue write buffer size (bytes).

       -setqctrl hiwater lowater bufsz interval

	   Set the audit queue write buffer size (bytes), hiwater audit	record
	   count, lowater audit	record count,  and  wakeup  interval  (ticks).
	   Valid within	a local	zone only if perzone is	set.

       -setqdelay interval

	   Set	the  audit  queue wakeup interval (ticks). This	determines the
	   interval at which the kernel	pokes the audit	queue, to write	 audit
	   records  to the audit trail.	Valid within a local zone only if per-
	   zone	is set.

       -setqhiwater hiwater

	   Set the number of undelivered audit records in the audit  queue  at
	   which  audit	 record	 generation  blocks. Valid within a local zone
	   only	if perzone is set.

       -setqlowater lowater

	   Set the number of undelivered audit records in the audit  queue  at
	   which blocked auditing processes unblock. Valid within a local zone
	   only	if perzone is set.

       -setsmask asid flags

	   Set the preselection	mask of	all processes with the specified audit
	   session ID. Valid within a local zone only if perzone is set.

       -setstat

	   Reset  audit	statistics counters. Valid within a local zone only if
	   perzone is set.

       -setumask auid flags

	   Set the preselection	mask of	all processes with the specified audit
	   ID. Valid within a local zone only if perzone is set.

EXAMPLES
       Example 1: Using	auditconfig

       The following is	an example of an auditconfig program:

       #
       # map kernel audit event	number 10 to the "fr" audit class
       #
       % auditconfig -setclass 10 fr

       #
       # turn on inclusion of exec arguments in	exec audit records
       #
       % auditconfig -setpolicy	+argv

EXIT STATUS
       0	Successful completion.

       1	An error occurred.

FILES
       /etc/security/audit_event

       /etc/security/audit_class

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE	TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |SUNWcsu			   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Evolving			   |
       +-----------------------------+-----------------------------+

SEE ALSO
       audit(1M),  auditd(1M), bsmconv(1M), praudit(1M), auditon(2), execv(2),
       audit_class(4), audit_control(4), audit_event(4), attributes(5)

NOTES
       If plugin output	is selected using audit_control(4),  the  behavior  of
       the system with respect to the -setpolicy +cnt and the -setqhiwater op-
       tions is	modified slightly. If -policy +cnt is set, data	will  continue
       to be sent to the selected plugin, even though output to	the binary au-
       dit log is stopped, pending the freeing of disk space. If -policy  -cnt
       is  used,  the  blocking	behavior is as described under OPTIONS,	above.
       The value set for the queue high	water mark is used  within  auditd  as
       the  default  value  for	its queue limits unless	overridden by means of
       the qsize attribute as described	in audit_control(4).

       The auditconfig options that modify or display  process-based  informa-
       tion  are  not affected by the perzone policy. Those that modify	system
       audit data such as the terminal id and audit queue parameters are valid
       only  in	the global zone, unless	the perzone policy is set. The display
       of a system audit reflects the local zone if perzone is set. Otherwise,
       it reflects the settings	of the global zone.

       The  -setcond  option has been removed. Use audit(1M) to	enable or dis-
       able auditing.

SunOS 5.10			  2 Jul	2004		       auditconfig(1M)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | EXIT STATUS | FILES | ATTRIBUTES | SEE ALSO | NOTES

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=auditconfig&sektion=1m&manpath=SunOS+5.10>

home | help