2 .\" Copyright (c) 2008-2009 Apple Inc.
3 .\" Copyright (c) 2005 Robert N. M. Watson
4 .\" Copyright (c) 2005 Tom Rhodes
5 .\" Copyright (c) 2005 Wayne J. Salamon
6 .\" All rights reserved.
8 .\" Redistribution and use in source and binary forms, with or without
9 .\" modification, are permitted provided that the following conditions
11 .\" 1. Redistributions of source code must retain the above copyright
12 .\" notice, this list of conditions and the following disclaimer.
13 .\" 2. Redistributions in binary form must reproduce the above copyright
14 .\" notice, this list of conditions and the following disclaimer in the
15 .\" documentation and/or other materials provided with the distribution.
17 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 .Nd "configure system audit parameters"
38 .Fn auditon "int cmd" "void *data" "u_int length"
42 system call is used to manipulate various audit control operations.
46 should point to a structure whose type depends on the command.
56 may be any of the following:
57 .Bl -tag -width ".It Dv A_GETPINFO_ADDR"
59 Set audit policy flags.
65 value set to one or more the following audit
66 policy control values bitwise OR'ed together:
73 .Dv AUDIT_CNT is set, the system will continue even if it becomes low
74 on space and discontinue logging events until the low space condition is
76 If it is not set, audited events will block until the low space
77 condition is remedied.
78 Unaudited events, however, are unaffected.
80 .Dv AUDIT_AHLT is set, a
82 if it cannot write an event to the global audit log file.
85 is set, then the argument list passed to the
87 system call will be audited.
90 is set, then the environment variables passed to the
92 system call will be audited.
93 The default policy is none of the audit policy
96 Set the host information.
102 structure containing the host IP address information.
103 After setting, audit records
104 that are created as a result of kernel events will contain
107 Set the kernel preselection masks (success and failure).
113 structure containing the mask values as defined in
115 These masks are used for non-attributable audit event preselection.
118 specifies which classes of successful audit events are to be logged to the
122 specifies which classes of failed audit events are to be logged.
124 both fields is the bitwise OR'ing of the audit event classes specified in
126 The various audit classes are described more fully in
129 Set kernel audit queue parameters.
135 structure (defined in
137 containing the kernel audit queue control settings:
146 defines the maximum number of audit record entries in the queue used to store
147 the audit records ready for delivery to disk.
148 New records are inserted at the tail of the queue and removed from the head.
149 For new records which would exceed the
150 high water mark, the calling thread is inserted into the wait queue, waiting
151 for the audit queue to have enough space available as defined with the field
155 defines the maximum length of the audit record that can be supplied with
162 specifies the minimum amount of free blocks on the disk device used to store
164 If the value of free blocks falls below the configured
165 minimum amount, the kernel informs the audit daemon about low disk space.
166 The value is to be specified in percent of free file system blocks.
167 A value of 0 results in a disabling of the check.
168 The default and maximum values (default/maximum) for the
169 audit queue control parameters are:
171 .Bl -column aq_hiwater -offset indent -compact
172 .It aq_hiwater Ta 100/10000 (audit records)
173 .It aq_lowater Ta 10/aq_hiwater (audit records)
174 .It aq_bufsz Ta 32767/1048576 (bytes)
175 .It aq_delay Ta (Not currently used.)
190 Set the current auditing condition.
196 value containing the new
197 audit condition, one of
204 is set, then auditing is temporarily suspended.
207 is set, auditing is resumed.
210 is set, the auditing system will
211 shutdown, draining all audit records and closing out the audit trail file.
213 Set the event class preselection mask for an audit event.
219 structure containing the audit event and mask.
222 is the audit event and
224 is the audit class mask.
227 for more information on audit event to class mapping.
229 Set the preselection masks for a process.
235 structure that contains the given process's audit
236 preselection masks for both success and failure.
239 is the process id of the target process.
244 structure which holds the preselection masks as described in the
248 Set the maximum size of the audit log file.
256 field set to the maximum audit log file size.
258 indicates no limit to the size.
260 Return the event to class mapping for the designated audit event.
269 section above for more information.
271 Get the current host information.
279 Return the audit settings for a process.
285 structure which will be set to contain
289 (the preselection mask),
291 (the terminal ID), and
293 (the audit session ID)
294 of the given target process.
295 The process ID of the target process is passed
296 into the kernel using the
303 for more information.
304 .It Dv A_GETPINFO_ADDR
305 Return the extended audit settings for a process.
310 .Vt auditpinfo_addr_t
311 structure which is similar to the
313 structure described above.
316 (the terminal ID) field which points to a
318 structure can hold much a larger terminal address and an address type.
319 The process ID of the target process is passed into the kernel using the
326 for more information.
327 .It Dv A_GETSINFO_ADDR
328 Return the extended audit settings for a session.
335 The audit session ID of the target session is passed
336 into the kernel using the
341 for more information about the
345 Return the current kernel preselection masks.
351 structure which will be set to
352 the current kernel preselection masks for non-attributable events.
354 Return the current audit policy setting.
360 value which will be set to
361 one of the current audit policy flags.
362 The audit policy flags are
367 Return the current kernel audit queue control parameters.
373 structure which will be set to the current
374 kernel audit queue control parameters.
377 section above for more information.
379 Returns the maximum size of the audit log file.
388 field will be set to the maximum audit log file size.
389 A value of 0 indicates no limit to the size.
393 will be set to the current audit log file size.
395 .\" [COMMENTED OUT]: Valid description, not yet implemented.
396 .\" Return the current working directory as stored in the audit subsystem.
401 .\" [COMMENTED OUT]: Valid description, not yet implemented.
402 .\"Stores and returns the current active root as stored in the audit
408 .\" [COMMENTED OUT]: Valid description, not yet implemented.
409 .\"Return the statistics stored in the audit system.
414 Return the current auditing condition.
420 value which will be set to
421 the current audit condition, one of
428 section above for more information.
430 Send a trigger to the audit daemon.
436 value set to one of the acceptable
438 .Dv AUDIT_TRIGGER_LOW_SPACE
439 (low disk space where the audit log resides),
440 .Dv AUDIT_TRIGGER_OPEN_NEW
441 (open a new audit log file),
442 .Dv AUDIT_TRIGGER_READ_FILE
446 .Dv AUDIT_TRIGGER_CLOSE_AND_DIE
447 (close the current log file and exit),
448 .Dv AUDIT_TRIGGER_NO_SPACE
449 (no disk space left for audit log file).
450 .Dv AUDIT_TRIGGER_ROTATE_USER
451 (request audit log file rotation).
452 .Dv AUDIT_TRIGGER_INITIALIZE
453 (initialize audit subsystem for Mac OS X only).
455 .Dv AUDIT_TRIGGER_EXPIRE_TRAILS
456 (request audit log file expiration).
463 function will fail if:
466 Returned by options not yet implemented.
468 A failure occurred while data transferred to or from
471 Illegal argument was passed by a system call.
473 The process does not have sufficient permission to complete
479 command is specific to the
481 and Mac OS X implementations, and is not present in Solaris.
486 .Xr getaudit_addr 2 ,
489 .Xr setaudit_addr 2 ,
493 The OpenBSM implementation was created by McAfee Research, the security
494 division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
495 It was subsequently adopted by the TrustedBSD Project as the foundation for
496 the OpenBSM distribution.
499 This software was created by McAfee Research, the security research division
500 of McAfee, Inc., under contract to Apple Computer Inc.
501 Additional authors include
506 The Basic Security Module (BSM) interface to audit records and audit event
507 stream format were defined by Sun Microsystems.
509 This manual page was written by
510 .An Tom Rhodes Aq trhodes@FreeBSD.org ,
511 .An Robert Watson Aq rwatson@FreeBSD.org ,
513 .An Wayne Salamon Aq wsalamon@FreeBSD.org .