Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
AUDITON(2)		    BSD	System Calls Manual		    AUDITON(2)

NAME
     auditon --	configure system audit parameters

SYNOPSIS
     #include <bsm/audit.h>

     int
     auditon(int cmd, void *data, u_int	length);

DESCRIPTION
     The auditon() system call is used to manipulate various audit control op-
     erations.	The data argument should point to a structure whose type de-
     pends on the command.  The	length argument	specifies the size of *data in
     bytes.  The cmd argument may be any of the	following:

     A_SETPOLICY      Set audit	policy flags.  The data	argument must point to
		      a	int value set to one or	more the following audit pol-
		      icy control values bitwise OR'ed together: AUDIT_CNT,
		      AUDIT_AHLT, AUDIT_ARGV, and AUDIT_ARGE.  If AUDIT_CNT is
		      set, the system will continue even if it becomes low on
		      space and	discontinue logging events until the low space
		      condition	is remedied.  If it is not set,	audited	events
		      will block until the low space condition is remedied.
		      Unaudited	events,	however, are unaffected.  If
		      AUDIT_AHLT is set, a panic(9) if it cannot write an
		      event to the global audit	log file.  If AUDIT_ARGV is
		      set, then	the argument list passed to the	execve(2) sys-
		      tem call will be audited.	 If AUDIT_ARGE is set, then
		      the environment variables	passed to the execve(2)	system
		      call will	be audited.  The default policy	is none	of the
		      audit policy control flags set.

     A_SETKAUDIT      Set the host information.	 The data argument must	point
		      to a auditinfo_addr_t structure containing the host IP
		      address information.  After setting, audit records that
		      are created as a result of kernel	events will contain
		      this information.

     A_SETKMASK	      Set the kernel preselection masks	(success and failure).
		      The data argument	must point to a	au_mask_t structure
		      containing the mask values as defined in <bsm/audit.h>.
		      These masks are used for non-attributable	audit event
		      preselection.  The field am_success specifies which
		      classes of successful audit events are to	be logged to
		      the audit	trail.	The field am_failure specifies which
		      classes of failed	audit events are to be logged.	The
		      value of both fields is the bitwise OR'ing of the	audit
		      event classes specified in bsm/audit.h.  The various au-
		      dit classes are described	more fully in audit_class(5).

     A_SETQCTRL	      Set kernel audit queue parameters.  The data argument
		      must point to a au_qctrl_t structure (defined in
		      <bsm/audit.h>) containing	the kernel audit queue control
		      settings:	aq_hiwater, aq_lowater,	aq_bufsz, aq_delay,
		      and aq_minfree.  The field aq_hiwater defines the	maxi-
		      mum number of audit record entries in the	queue used to
		      store the	audit records ready for	delivery to disk.  New
		      records are inserted at the tail of the queue and	re-
		      moved from the head.  For	new records which would	exceed
		      the high water mark, the calling thread is inserted into
		      the wait queue, waiting for the audit queue to have
		      enough space available as	defined	with the field
		      aq_lowater.  The field aq_bufsz defines the maximum
		      length of	the audit record that can be supplied with
		      audit(2).	 The field aq_delay is unused.	The field
		      aq_minfree specifies the minimum amount of free blocks
		      on the disk device used to store audit records.  If the
		      value of free blocks falls below the configured minimum
		      amount, the kernel informs the audit daemon about	low
		      disk space.  The value is	to be specified	in percent of
		      free file	system blocks.	A value	of 0 results in	a dis-
		      abling of	the check.  The	default	and maximum values
		      (default/maximum)	for the	audit queue control parameters
		      are:

			    aq_hiwater	  100/10000 (audit records)
			    aq_lowater	  10/aq_hiwater	(audit records)
			    aq_bufsz	  32767/1048576	(bytes)
			    aq_delay	  (Not currently used.)

     A_SETSTAT	      Return ENOSYS.  (Not implemented.)

     A_SETUMASK	      Return ENOSYS.  (Not implemented.)

     A_SETSMASK	      Return ENOSYS.  (Not implemented.)

     A_SETCOND	      Set the current auditing condition.  The data argument
		      must point to a int value	containing the new audit con-
		      dition, one of AUC_AUDITING, AUC_NOAUDIT,	or
		      AUC_DISABLED.  If	AUC_NOAUDIT is set, then auditing is
		      temporarily suspended.  If AUC_AUDITING is set, auditing
		      is resumed.  If AUC_DISABLED is set, the auditing	system
		      will shutdown, draining all audit	records	and closing
		      out the audit trail file.

     A_SETCLASS	      Set the event class preselection mask for	an audit
		      event.  The data argument	must point to a
		      au_evclass_map_t structure containing the	audit event
		      and mask.	 The field ec_number is	the audit event	and
		      ec_class is the audit class mask.	 See audit_event(5)
		      for more information on audit event to class mapping.

     A_SETPMASK	      Set the preselection masks for a process.	 The data ar-
		      gument must point	to a auditpinfo_t structure that con-
		      tains the	given process's	audit preselection masks for
		      both success and failure.	 The field ap_pid is the
		      process id of the	target process.	 The field ap_mask
		      must point to a au_mask_t	structure which	holds the pre-
		      selection	masks as described in the A_SETKMASK section
		      above.

     A_SETFSIZE	      Set the maximum size of the audit	log file.  The data
		      argument must point to a au_fstat_t structure with the
		      af_filesz	field set to the maximum audit log file	size.
		      A	value of 0 indicates no	limit to the size.

     A_GETCLASS	      Return the event to class	mapping	for the	designated au-
		      dit event.  The data argument must point to a
		      au_evclass_map_t structure.  See the A_SETCLASS section
		      above for	more information.

     A_GETKAUDIT      Get the current host information.	 The data argument
		      must point to a auditinfo_addr_t structure.

     A_GETPINFO	      Return the audit settings	for a process.	The data argu-
		      ment must	point to a auditpinfo_t	structure which	will
		      be set to	contain	ap_auid	(the audit ID),	ap_mask	(the
		      preselection mask), ap_termid (the terminal ID), and
		      ap_asid (the audit session ID) of	the given target
		      process.	The process ID of the target process is	passed
		      into the kernel using the	ap_pid field.  See the section
		      A_SETPMASK above and getaudit(2) for more	information.

     A_GETPINFO_ADDR  Return the extended audit	settings for a process.	 The
		      data argument must point to a auditpinfo_addr_t struc-
		      ture which is similar to the auditpinfo_t	structure de-
		      scribed above.  The exception is the ap_termid (the ter-
		      minal ID)	field which points to a	au_tid_addr_t struc-
		      ture can hold much a larger terminal address and an ad-
		      dress type.  The process ID of the target	process	is
		      passed into the kernel using the ap_pid field.  See the
		      section A_SETPMASK above and getaudit(2) for more	infor-
		      mation.

     A_GETSINFO_ADDR  Return the extended audit	settings for a session.	 The
		      data argument must point to a auditinfo_addr_t struc-
		      ture.  The audit session ID of the target	session	is
		      passed into the kernel using the ai_asid field.  See
		      getaudit_addr(2) for more	information about the
		      auditinfo_addr_t structure.

     A_GETKMASK	      Return the current kernel	preselection masks.  The data
		      argument must point to a au_mask_t structure which will
		      be set to	the current kernel preselection	masks for non-
		      attributable events.

     A_GETPOLICY      Return the current audit policy setting.	The data argu-
		      ment must	point to a int value which will	be set to one
		      of the current audit policy flags.  The audit policy
		      flags are	described in the A_SETPOLICY section above.

     A_GETQCTRL	      Return the current kernel	audit queue control parame-
		      ters.  The data argument must point to a au_qctrl_t
		      structure	which will be set to the current kernel	audit
		      queue control parameters.	 See the A_SETQCTL section
		      above for	more information.

     A_GETFSIZE	      Returns the maximum size of the audit log	file.  The
		      data argument must point to a au_fstat_t structure.  The
		      af_filesz	field will be set to the maximum audit log
		      file size.  A value of 0 indicates no limit to the size.
		      The af_currsz field will be set to the current audit log
		      file size.

     A_GETCWD	      Return ENOSYS.  (Not implemented.)

     A_GETCAR	      Return ENOSYS.  (Not implemented.)

     A_GETSTAT	      Return ENOSYS.  (Not implemented.)

     A_GETCOND	      Return the current auditing condition.  The data argu-
		      ment must	point to a int value which will	be set to the
		      current audit condition, one of AUC_AUDITING,
		      AUC_NOAUDIT or AUC_DISABLED.  See	the A_SETCOND section
		      above for	more information.

     A_SENDTRIGGER    Send a trigger to	the audit daemon.  The data argument
		      must point to a int value	set to one of the acceptable
		      trigger values: AUDIT_TRIGGER_LOW_SPACE (low disk	space
		      where the	audit log resides), AUDIT_TRIGGER_OPEN_NEW
		      (open a new audit	log file), AUDIT_TRIGGER_READ_FILE
		      (read the	audit_control file),
		      AUDIT_TRIGGER_CLOSE_AND_DIE (close the current log file
		      and exit), AUDIT_TRIGGER_NO_SPACE	(no disk space left
		      for audit	log file).  AUDIT_TRIGGER_ROTATE_USER (request
		      audit log	file rotation).	 AUDIT_TRIGGER_INITIALIZE
		      (initialize audit	subsystem for Mac OS X only).  or
		      AUDIT_TRIGGER_EXPIRE_TRAILS (request audit log file ex-
		      piration).

RETURN VALUES
     Upon successful completion, the value 0 is	returned; otherwise the
     value -1 is returned and the global variable errno	is set to indicate the
     error.

ERRORS
     The auditon() function will fail if:

     [ENOSYS]		Returned by options not	yet implemented.

     [EFAULT]		A failure occurred while data transferred to or	from
			the kernel failed.

     [EINVAL]		Illegal	argument was passed by a system	call.

     [EPERM]		The process does not have sufficient permission	to
			complete the operation.

     The A_SENDTRIGGER command is specific to the FreeBSD and Mac OS X imple-
     mentations, and is	not present in Solaris.

SEE ALSO
     audit(2), auditctl(2), getaudit(2), getaudit_addr(2), getauid(2),
     setaudit(2), setaudit_addr(2), setauid(2),	libbsm(3)

HISTORY
     The OpenBSM implementation	was created by McAfee Research,	the security
     division of McAfee	Inc., under contract to	Apple Computer Inc. in 2004.
     It	was subsequently adopted by the	TrustedBSD Project as the foundation
     for the OpenBSM distribution.

AUTHORS
     This software was created by McAfee Research, the security	research divi-
     sion of McAfee, Inc., under contract to Apple Computer Inc.  Additional
     authors include Wayne Salamon, Robert Watson, and SPARTA Inc.

     The Basic Security	Module (BSM) interface to audit	records	and audit
     event stream format were defined by Sun Microsystems.

     This manual page was written by Tom Rhodes	<trhodes@FreeBSD.org>, Robert
     Watson <rwatson@FreeBSD.org>, and Wayne Salamon <wsalamon@FreeBSD.org>.

BSD				 April 7, 2016				   BSD

NAME | SYNOPSIS | DESCRIPTION | RETURN VALUES | ERRORS | SEE ALSO | HISTORY | AUTHORS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=auditon&sektion=2&manpath=FreeBSD+12.0-RELEASE+and+Ports>

home | help