2 .\" Copyright (c) 2005 Robert N. M. Watson
3 .\" Copyright (c) 2005 Tom Rhodes
4 .\" Copyright (c) 2005 Wayne J. Salamon
5 .\" All rights reserved.
7 .\" Redistribution and use in source and binary forms, with or without
8 .\" modification, are permitted provided that the following conditions
10 .\" 1. Redistributions of source code must retain the above copyright
11 .\" notice, this list of conditions and the following disclaimer.
12 .\" 2. Redistributions in binary form must reproduce the above copyright
13 .\" notice, this list of conditions and the following disclaimer in the
14 .\" documentation and/or other materials provided with the distribution.
16 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 .\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#8 $
35 .Nd "Configure system audit parameters"
39 .Fn auditon "int cmd" "void *data" "u_int length"
43 system call is used to manipulate various audit control operations.
45 should point to a structure whose type depends on the command.
47 specifies the size of the
51 may be any of the following:
52 .Bl -tag -width ".It Dv A_GETPINFO_ADDR"
54 Set audit policy flags.
56 must point to a long value set to one of the audit
57 policy control values defined in
66 case, the action will continue regardless if
67 an event will not be audited.
72 will result if an event will not be written to the
78 Set the kernel preselection masks (success and failure).
82 structure containing the mask values.
83 These masks are used for non-attributable audit event preselection.
85 Set kernel audit queue parameters.
89 structure containing the
90 kernel audit queue control settings:
93 .Va output buffer size ,
94 .Va percent min free disk space ,
108 Set the current auditing condition.
110 must point to a long value containing the new
111 audit condition, one of
117 Set the event class preselection mask for an audit event.
121 structure containing the audit event and mask.
123 Set the preselection masks for a process.
127 structure that contains the given process's audit
128 preselection masks for both success and failure.
130 Set the maximum size of the audit log file.
136 field set to the maximum audit log file size. A value of 0
137 indicates no limit to the size.
142 Return the event to class mapping for the designated audit event.
151 Return the audit settings for a process.
155 structure which will be set to contain
156 the audit ID, preselection mask, terminal ID, and audit session
157 ID of the given process.
158 .It Dv A_GETPINFO_ADDR
162 Return the current kernel preselection masks.
166 structure which will be set to
167 the current kernel preselection masks for non-attributable events.
169 Return the current audit policy setting.
171 must point to a long value which will be set to
172 one of the current audit policy flags.
179 Return the current kernel audit queue control parameters.
183 structure which will be set to the current
184 kernel audit queue control parameters.
186 Returns the maximum size of the audit log file.
192 field will be set to the maximum audit log file size.
193 A value of 0 indicates no limit to the size.
196 will be set to the current audit log file size.
198 .\" [COMMENTED OUT]: Valid description, not yet implemented.
199 .\" Return the current working directory as stored in the audit subsystem.
203 .\" [COMMENTED OUT]: Valid description, not yet implemented.
204 .\"Stores and returns the current active root as stored in the audit
209 .\" [COMMENTED OUT]: Valid description, not yet implemented.
210 .\"Return the statistics stored in the audit system.
214 Return the current auditing condition.
216 must point to a long value which will be set to
217 the current audit condition, either
222 Send a trigger to the audit daemon.
224 must point to a long value set to one of the acceptable
226 .Dv AUDIT_TRIGGER_LOW_SPACE
227 (low disk space where the audit log resides),
228 .Dv AUDIT_TRIGGER_OPEN_NEW
229 (open a new audit log file),
230 .Dv AUDIT_TRIGGER_READ_FILE
234 .Dv AUDIT_TRIGGER_CLOSE_AND_DIE
235 (close the current log file and exit),
237 .Dv AUDIT_TRIGGER_NO_SPACE
238 (no disk space left for audit log file).
245 function will fail if:
248 Returned by options not yet implemented.
250 A failure occurred while data transferred to or from
253 Illegal argument was passed by a system call.
255 The process does not have sufficient permission to complete
261 command is specific to the
263 and Mac OS X implementations, and is not present in Solaris.
271 .Xr getaudit_addr 2 ,
272 .Xr setaudit_addr 2 ,
275 This software was created by McAfee Research, the security research division
276 of McAfee, Inc., under contract to Apple Computer Inc.
277 Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
279 The Basic Security Module (BSM) interface to audit records and audit event
280 stream format were defined by Sun Microsystems.
282 This manual page was written by
283 .An Tom Rhodes Aq trhodes@FreeBSD.org ,
284 .An Robert Watson Aq rwatson@FreeBSD.org ,
286 .An Wayne Salamon Aq wsalamon@FreeBSD.org .
288 The OpenBSM implementation was created by McAfee Research, the security
289 division of McAfee Inc., under contract to Apple Computer Inc. in 2003.
290 It was subsequently adopted by the TrustedBSD Project as the foundation for
291 the OpenBSM distribution.