Skip site navigation (1)Skip section navigation (2)

FreeBSD Man Pages

Man Page or Keyword Search:
Man Architecture
Apropos Keyword Search (all sections) Output format
home | help
AUDITON(2)                FreeBSD System Calls Manual               AUDITON(2)

NAME
     auditon - configure system audit parameters

SYNOPSIS
     #include <bsm/audit.h>

     int
     auditon(int cmd, void *data, u_int length);

DESCRIPTION
     The auditon() system call is used to manipulate various audit control
     operations.  The data argument should point to a structure whose type
     depends on the command.  The length argument specifies the size of *data
     in bytes.  The cmd argument may be any of the following:

     A_SETPOLICY             Set audit policy flags.  The data argument must
                             point to a int value set to one or more the
                             following audit policy control values bitwise
                             OR'ed together: AUDIT_CNT, AUDIT_AHLT,
                             AUDIT_ARGV, and AUDIT_ARGE.  If AUDIT_CNT is set,
                             the system will continue even if it becomes low
                             on space and discontinue logging events until the
                             low space condition is remedied.  If it is not
                             set, audited events will block until the low
                             space condition is remedied.  Unaudited events,
                             however, are unaffected.  If AUDIT_AHLT is set, a
                             panic(9) if it cannot write an event to the
                             global audit log file.  If AUDIT_ARGV is set,
                             then the argument list passed to the execve(2)
                             system call will be audited.  If AUDIT_ARGE is
                             set, then the environment variables passed to the
                             execve(2) system call will be audited.  The
                             default policy is none of the audit policy
                             control flags set.

     A_SETKAUDIT             Set the host information.  The data argument must
                             point to a auditinfo_addr_t structure containing
                             the host IP address information.  After setting,
                             audit records that are created as a result of
                             kernel events will contain this information.

     A_SETKMASK              Set the kernel preselection masks (success and
                             failure).  The data argument must point to a
                             au_mask_t structure containing the mask values as
                             defined in <bsm/audit.h>.  These masks are used
                             for non-attributable audit event preselection.
                             The field am_success specifies which classes of
                             successful audit events are to be logged to the
                             audit trail. The field am_failure specifies which
                             classes of failed audit events are to be logged.
                             The value of both fields is the bitwise OR'ing of
                             the audit event classes specified in bsm/audit.h.
                             The various audit classes are described more
                             fully in audit_class(5).

     A_SETQCTRL              Set kernel audit queue parameters.  The data
                             argument must point to a au_qctrl_t structure
                             (defined in <bsm/audit.h>) containing the kernel
                             audit queue control settings: aq_hiwater,
                             aq_lowater, aq_bufsz, aq_delay, and aq_minfree.
                             The field aq_hiwater defines the maximum number
                             of audit record entries in the queue used to
                             store the audit records ready for delivery to
                             disk.  New records are inserted at the tail of
                             the queue and removed from the head.  For new
                             records which would exceed the high water mark,
                             the calling thread is inserted into the wait
                             queue, waiting for the audit queue to have enough
                             space available as defined with the field
                             aq_lowater.  The field aq_bufsz defines the
                             maximum length of the audit record that can be
                             supplied with audit(2).  The field aq_delay is
                             unused.  The field aq_minfree specifies the
                             minimum amount of free blocks on the disk device
                             used to store audit records.  If the value of
                             free blocks falls below the configured minimum
                             amount, the kernel informs the audit daemon about
                             low disk space.  The value is to be specified in
                             percent of free file system blocks.  A value of 0
                             results in a disabling of the check.  The default
                             and maximum values (default/maximum) for the
                             audit queue control parameters are:

                                   aq_hiwater    100/10000 (audit records)
                                   aq_lowater    10/aq_hiwater (audit records)
                                   aq_bufsz      32767/1048576 (bytes)
                                   aq_delay      (Not currently used.)

     A_SETSTAT               Return ENOSYS.  (Not implemented.)

     A_SETUMASK              Return ENOSYS.  (Not implemented.)

     A_SETSMASK              Return ENOSYS.  (Not implemented.)

     A_SETCOND               Set the current auditing condition.  The data
                             argument must point to a int value containing the
                             new audit condition, one of AUC_AUDITING,
                             AUC_NOAUDIT, or AUC_DISABLED.  If AUC_NOAUDIT is
                             set, then auditing is temporarily suspended. If
                             AUC_AUDITING is set, auditing is resumed. If
                             AUC_DISABLED is set, the auditing system will
                             shutdown, draining all audit records and closing
                             out the audit trail file.

     A_SETCLASS              Set the event class preselection mask for an
                             audit event.  The data argument must point to a
                             au_evclass_map_t structure containing the audit
                             event and mask.  The field ec_number is the audit
                             event and ec_class is the audit class mask. See
                             audit_event(5) for more information on audit
                             event to class mapping.

     A_SETPMASK              Set the preselection masks for a process.  The
                             data argument must point to a auditpinfo_t
                             structure that contains the given process's audit
                             preselection masks for both success and failure.
                             The field ap_pid is the process id of the target
                             process.  The field ap_mask must point to a
                             au_mask_t structure which holds the preselection
                             masks as described in the A_SETKMASK section
                             above.

     A_SETFSIZE              Set the maximum size of the audit log file.  The
                             data argument must point to a au_fstat_t
                             structure with the af_filesz field set to the
                             maximum audit log file size.  A value of 0
                             indicates no limit to the size.

     A_GETCLASS              Return the event to class mapping for the
                             designated audit event.  The data argument must
                             point to a au_evclass_map_t structure. See the
                             A_SETCLASS section above for more information.

     A_GETKAUDIT             Get the current host information.  The data
                             argument must point to a auditinfo_addr_t
                             structure.

     A_GETPINFO              Return the audit settings for a process.  The
                             data argument must point to a auditpinfo_t
                             structure which will be set to contain ap_auid
                             (the audit ID), ap_mask (the preselection mask),
                             ap_termid (the terminal ID), and ap_asid (the
                             audit session ID) of the given target process.
                             The process ID of the target process is passed
                             into the kernel using the ap_pid field.  See the
                             section A_SETPMASK above and getaudit(2) for more
                             information.

     A_GETPINFO_ADDR         Return the extended audit settings for a process.
                             The data argument must point to a
                             auditpinfo_addr_t structure which is similar to
                             the auditpinfo_addr_t structure described above.
                             The exception is the ap_termid (the terminal ID)
                             field which points to a au_tid_addr_t structure
                             can hold much a larger terminal address and an
                             address type.  The process ID of the target
                             process is passed into the kernel using the
                             ap_pid field.  See the section A_SETPMASK above
                             and getaudit(2) for more information.

     A_GETSINFO_ADDR         Return the extended audit settings for a session.
                             The data argument must point to a
                             auditinfo_addr_t structure.  The audit session ID
                             of the target session is passed into the kernel
                             using the ai_asid field.  See getaudit_addr(2)
                             for more information about the auditinfo_addr_t
                             structure.

     A_GETKMASK              Return the current kernel preselection masks.
                             The data argument must point to a au_mask_t
                             structure which will be set to the current kernel
                             preselection masks for non-attributable events.

     A_GETPOLICY             Return the current audit policy setting.  The
                             data argument must point to a int value which
                             will be set to one of the current audit policy
                             flags.  The audit policy flags are described in
                             the A_SETPOLICY section above.

     A_GETQCTRL              Return the current kernel audit queue control
                             parameters.  The data argument must point to a
                             au_qctrl_t structure which will be set to the
                             current kernel audit queue control parameters.
                             See the A_SETQCTL section above for more
                             information.

     A_GETFSIZE              Returns the maximum size of the audit log file.
                             The data argument must point to a au_fstat_t
                             structure.  The af_filesz field will be set to
                             the maximum audit log file size.  A value of 0
                             indicates no limit to the size.  The af_currsz
                             field will be set to the current audit log file
                             size.

     A_GETCWD                Return ENOSYS.  (Not implemented.)

     A_GETCAR                Return ENOSYS.  (Not implemented.)

     A_GETSTAT               Return ENOSYS.  (Not implemented.)

     A_GETCOND               Return the current auditing condition.  The data
                             argument must point to a int value which will be
                             set to the current audit condition, one of
                             AUC_AUDITING, AUC_NOAUDIT or AUC_DISABLED.  See
                             the A_SETCOND section above for more information.

     A_SENDTRIGGER           Send a trigger to the audit daemon.  The data
                             argument must point to a int value set to one of
                             the acceptable trigger values:
                             AUDIT_TRIGGER_LOW_SPACE (low disk space where the
                             audit log resides), AUDIT_TRIGGER_OPEN_NEW (open
                             a new audit log file), AUDIT_TRIGGER_READ_FILE
                             (read the audit_control file),
                             AUDIT_TRIGGER_CLOSE_AND_DIE (close the current
                             log file and exit), AUDIT_TRIGGER_NO_SPACE (no
                             disk space left for audit log file).
                             AUDIT_TRIGGER_ROTATE_USER (request audit log file
                             rotation).  AUDIT_TRIGGER_INITIALIZE (initialize
                             audit subsystem for Mac OS X only).  or
                             AUDIT_TRIGGER_EXPIRE_TRAILS (request audit log
                             file expiration).

RETURN VALUES
     Upon successful completion, the value 0 is returned; otherwise the
     value -1 is returned and the global variable errno is set to indicate the
     error.

ERRORS
     The auditon() function will fail if:

     [ENOSYS]           Returned by options not yet implemented.

     [EFAULT]           A failure occurred while data transferred to or from
                        the kernel failed.

     [EINVAL]           Illegal argument was passed by a system call.

     [EPERM]            The process does not have sufficient permission to
                        complete the operation.

     The A_SENDTRIGGER command is specific to the FreeBSD and Mac OS X
     implementations, and is not present in Solaris.

SEE ALSO
     audit(2), auditctl(2), getaudit(2), getaudit_addr(2), getauid(2),
     setaudit(2), setaudit_addr(2), setauid(2), libbsm(3)

HISTORY
     The OpenBSM implementation was created by McAfee Research, the security
     division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
     It was subsequently adopted by the TrustedBSD Project as the foundation
     for the OpenBSM distribution.

AUTHORS
     This software was created by McAfee Research, the security research
     division of McAfee, Inc., under contract to Apple Computer Inc.
     Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.

     The Basic Security Module (BSM) interface to audit records and audit
     event stream format were defined by Sun Microsystems.

     This manual page was written by Tom Rhodes <trhodes@FreeBSD.org>, Robert
     Watson <rwatson@FreeBSD.org>, and Wayne Salamon <wsalamon@FreeBSD.org>.

FreeBSD 11.0-PRERELEASE        January 29, 2009        FreeBSD 11.0-PRERELEASE

NAME | SYNOPSIS | DESCRIPTION | RETURN VALUES | ERRORS | SEE ALSO | HISTORY | AUTHORS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=auditon&sektion=2&manpath=FreeBSD+9.3-RELEASE>

home | help