2 .\" Copyright (c) 2005 Robert N. M. Watson
3 .\" Copyright (c) 2005 Tom Rhodes
4 .\" Copyright (c) 2005 Wayne J. Salamon
5 .\" All rights reserved.
7 .\" Redistribution and use in source and binary forms, with or without
8 .\" modification, are permitted provided that the following conditions
10 .\" 1. Redistributions of source code must retain the above copyright
11 .\" notice, this list of conditions and the following disclaimer.
12 .\" 2. Redistributions in binary form must reproduce the above copyright
13 .\" notice, this list of conditions and the following disclaimer in the
14 .\" documentation and/or other materials provided with the distribution.
16 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 .\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#14 $
35 .Nd "configure system audit parameters"
39 .Fn auditon "int cmd" "void *data" "u_int length"
43 system call is used to manipulate various audit control operations.
47 should point to a structure whose type depends on the command.
57 may be any of the following:
58 .Bl -tag -width ".It Dv A_GETPINFO_ADDR"
60 Set audit policy flags.
66 value set to one or more the following audit
67 policy control values bitwise OR'ed together:
74 .Dv AUDIT_CNT is set, the system will continue even if it becomes low
75 on space and discontinue logging events until the low space condition is
77 If it is not set, audited events will block until the low space
78 condition is remedied.
79 Unaudited events, however, are unaffected.
81 .Dv AUDIT_AHLT is set, a
83 if it cannot write an event to the global audit log file.
86 is set, then the argument list passed to the
88 system call will be audited. If
90 is set, then the environment variables passed to the
92 system call will be audited. The default policy is none of the audit policy
99 Set the kernel preselection masks (success and failure).
105 structure containing the mask values as defined in
107 These masks are used for non-attributable audit event preselection.
110 specifies which classes of successful audit events are to be logged to the
111 audit trail. The field
113 specifies which classes of failed audit events are to be logged. The value of
114 both fields is the bitwise OR'ing of the audit event classes specified in
116 The various audit classes are described more fully in
119 Set kernel audit queue parameters.
125 structure (defined in
127 containing the kernel audit queue control settings:
136 defines the maximum number of audit record entries in the queue used to store
137 the audit records ready for delivery to disk.
138 New records are inserted at the tail of the queue and removed from the head.
139 For new records which would exceed the
140 high water mark, the calling thread is inserted into the wait queue, waiting
141 for the audit queue to have enough space available as defined with the field
145 defines the maximum length of the audit record that can be supplied with
152 specifies the minimum amount of free blocks on the disk device used to store
154 If the value of free blocks falls below the configured
155 minimum amount, the kernel informs the audit daemon about low disk space.
156 The value is to be specified in percent of free file system blocks.
157 A value of 0 results in a disabling of the check.
171 Set the current auditing condition.
177 value containing the new
178 audit condition, one of
185 is set, then auditing is temporarily suspended. If
187 is set, auditing is resumed. If
189 is set, the auditing system will
190 shutdown, draining all audit records and closing out the audit trail file.
192 Set the event class preselection mask for an audit event.
198 structure containing the audit event and mask.
201 is the audit event and
203 is the audit class mask. See
205 for more information on audit event to class mapping.
207 Set the preselection masks for a process.
213 structure that contains the given process's audit
214 preselection masks for both success and failure.
217 is the process id of the target process.
222 structure which holds the preselection masks as described in the
226 Set the maximum size of the audit log file.
234 field set to the maximum audit log file size.
236 indicates no limit to the size.
242 Return the event to class mapping for the designated audit event.
250 section above for more information.
256 Return the audit settings for a process.
262 structure which will be set to contain
266 (the preselection mask),
268 (the terminal ID), and
270 (the audit session ID)
271 of the given target process.
272 The process ID of the target process is passed
273 into the kernel using the
280 for more information.
281 .It Dv A_GETPINFO_ADDR
282 Return the extended audit settings for a process.
287 .Vt auditpinfo_addr_t
288 structure which is similar to the
289 .Vt auditpinfo_addr_t
290 structure described above.
293 (the terminal ID) field which points to a
295 structure can hold much a larger terminal address and an address type.
296 The process ID of the target process is passed into the kernel using the
303 for more information.
305 Return the current kernel preselection masks.
311 structure which will be set to
312 the current kernel preselection masks for non-attributable events.
314 Return the current audit policy setting.
320 value which will be set to
321 one of the current audit policy flags.
322 The audit policy flags are
327 Return the current kernel audit queue control parameters.
333 structure which will be set to the current
334 kernel audit queue control parameters.
337 section above for more information.
339 Returns the maximum size of the audit log file.
348 field will be set to the maximum audit log file size.
349 A value of 0 indicates no limit to the size.
353 will be set to the current audit log file size.
355 .\" [COMMENTED OUT]: Valid description, not yet implemented.
356 .\" Return the current working directory as stored in the audit subsystem.
361 .\" [COMMENTED OUT]: Valid description, not yet implemented.
362 .\"Stores and returns the current active root as stored in the audit
368 .\" [COMMENTED OUT]: Valid description, not yet implemented.
369 .\"Return the statistics stored in the audit system.
374 Return the current auditing condition.
380 value which will be set to
381 the current audit condition, one of
388 section above for more information.
390 Send a trigger to the audit daemon.
396 value set to one of the acceptable
398 .Dv AUDIT_TRIGGER_LOW_SPACE
399 (low disk space where the audit log resides),
400 .Dv AUDIT_TRIGGER_OPEN_NEW
401 (open a new audit log file),
402 .Dv AUDIT_TRIGGER_READ_FILE
406 .Dv AUDIT_TRIGGER_CLOSE_AND_DIE
407 (close the current log file and exit),
409 .Dv AUDIT_TRIGGER_NO_SPACE
410 (no disk space left for audit log file).
417 function will fail if:
420 Returned by options not yet implemented.
422 A failure occurred while data transferred to or from
425 Illegal argument was passed by a system call.
427 The process does not have sufficient permission to complete
433 command is specific to the
435 and Mac OS X implementations, and is not present in Solaris.
440 .Xr getaudit_addr 2 ,
443 .Xr setaudit_addr 2 ,
447 The OpenBSM implementation was created by McAfee Research, the security
448 division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
449 It was subsequently adopted by the TrustedBSD Project as the foundation for
450 the OpenBSM distribution.
453 This software was created by McAfee Research, the security research division
454 of McAfee, Inc., under contract to Apple Computer Inc.
455 Additional authors include
460 The Basic Security Module (BSM) interface to audit records and audit event
461 stream format were defined by Sun Microsystems.
463 This manual page was written by
464 .An Tom Rhodes Aq trhodes@FreeBSD.org ,
465 .An Robert Watson Aq rwatson@FreeBSD.org ,
467 .An Wayne Salamon Aq wsalamon@FreeBSD.org .