2 .\" Copyright (c) 2008-2009 Apple Inc.
3 .\" Copyright (c) 2005 Robert N. M. Watson
4 .\" Copyright (c) 2005 Tom Rhodes
5 .\" Copyright (c) 2005 Wayne J. Salamon
6 .\" All rights reserved.
8 .\" Redistribution and use in source and binary forms, with or without
9 .\" modification, are permitted provided that the following conditions
11 .\" 1. Redistributions of source code must retain the above copyright
12 .\" notice, this list of conditions and the following disclaimer.
13 .\" 2. Redistributions in binary form must reproduce the above copyright
14 .\" notice, this list of conditions and the following disclaimer in the
15 .\" documentation and/or other materials provided with the distribution.
17 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 .Nd "configure system audit parameters"
38 .Fn auditon "int cmd" "void *data" "u_int length"
42 system call is used to manipulate various audit control operations.
46 should point to a structure whose type depends on the command.
56 may be any of the following:
57 .Bl -tag -width ".It Dv A_GETPINFO_ADDR"
59 Set audit policy flags.
65 value set to one or more the following audit
66 policy control values bitwise OR'ed together:
73 .Dv AUDIT_CNT is set, the system will continue even if it becomes low
74 on space and discontinue logging events until the low space condition is
76 If it is not set, audited events will block until the low space
77 condition is remedied.
78 Unaudited events, however, are unaffected.
80 .Dv AUDIT_AHLT is set, a
82 if it cannot write an event to the global audit log file.
85 is set, then the argument list passed to the
87 system call will be audited. If
89 is set, then the environment variables passed to the
91 system call will be audited. The default policy is none of the audit policy
94 Set the host information.
100 structure containing the host IP address information.
101 After setting, audit records
102 that are created as a result of kernel events will contain
105 Set the kernel preselection masks (success and failure).
111 structure containing the mask values as defined in
113 These masks are used for non-attributable audit event preselection.
116 specifies which classes of successful audit events are to be logged to the
117 audit trail. The field
119 specifies which classes of failed audit events are to be logged. The value of
120 both fields is the bitwise OR'ing of the audit event classes specified in
122 The various audit classes are described more fully in
125 Set kernel audit queue parameters.
131 structure (defined in
133 containing the kernel audit queue control settings:
142 defines the maximum number of audit record entries in the queue used to store
143 the audit records ready for delivery to disk.
144 New records are inserted at the tail of the queue and removed from the head.
145 For new records which would exceed the
146 high water mark, the calling thread is inserted into the wait queue, waiting
147 for the audit queue to have enough space available as defined with the field
151 defines the maximum length of the audit record that can be supplied with
158 specifies the minimum amount of free blocks on the disk device used to store
160 If the value of free blocks falls below the configured
161 minimum amount, the kernel informs the audit daemon about low disk space.
162 The value is to be specified in percent of free file system blocks.
163 A value of 0 results in a disabling of the check.
164 The default and maximum values (default/maximum) for the
165 audit queue control parameters are:
167 .Bl -column aq_hiwater -offset indent -compact
168 .It aq_hiwater Ta 100/10000 (audit records)
169 .It aq_lowater Ta 10/aq_hiwater (audit records)
170 .It aq_bufsz Ta 32767/1048576 (bytes)
171 .It aq_delay Ta (Not currently used.)
186 Set the current auditing condition.
192 value containing the new
193 audit condition, one of
200 is set, then auditing is temporarily suspended. If
202 is set, auditing is resumed. If
204 is set, the auditing system will
205 shutdown, draining all audit records and closing out the audit trail file.
207 Set the event class preselection mask for an audit event.
213 structure containing the audit event and mask.
216 is the audit event and
218 is the audit class mask. See
220 for more information on audit event to class mapping.
222 Set the preselection masks for a process.
228 structure that contains the given process's audit
229 preselection masks for both success and failure.
232 is the process id of the target process.
237 structure which holds the preselection masks as described in the
241 Set the maximum size of the audit log file.
249 field set to the maximum audit log file size.
251 indicates no limit to the size.
253 Return the event to class mapping for the designated audit event.
261 section above for more information.
263 Get the current host information.
271 Return the audit settings for a process.
277 structure which will be set to contain
281 (the preselection mask),
283 (the terminal ID), and
285 (the audit session ID)
286 of the given target process.
287 The process ID of the target process is passed
288 into the kernel using the
295 for more information.
296 .It Dv A_GETPINFO_ADDR
297 Return the extended audit settings for a process.
302 .Vt auditpinfo_addr_t
303 structure which is similar to the
304 .Vt auditpinfo_addr_t
305 structure described above.
308 (the terminal ID) field which points to a
310 structure can hold much a larger terminal address and an address type.
311 The process ID of the target process is passed into the kernel using the
318 for more information.
319 .It Dv A_GETSINFO_ADDR
320 Return the extended audit settings for a session.
327 The audit session ID of the target session is passed
328 into the kernel using the
332 for more information about the
336 Return the current kernel preselection masks.
342 structure which will be set to
343 the current kernel preselection masks for non-attributable events.
345 Return the current audit policy setting.
351 value which will be set to
352 one of the current audit policy flags.
353 The audit policy flags are
358 Return the current kernel audit queue control parameters.
364 structure which will be set to the current
365 kernel audit queue control parameters.
368 section above for more information.
370 Returns the maximum size of the audit log file.
379 field will be set to the maximum audit log file size.
380 A value of 0 indicates no limit to the size.
384 will be set to the current audit log file size.
386 .\" [COMMENTED OUT]: Valid description, not yet implemented.
387 .\" Return the current working directory as stored in the audit subsystem.
392 .\" [COMMENTED OUT]: Valid description, not yet implemented.
393 .\"Stores and returns the current active root as stored in the audit
399 .\" [COMMENTED OUT]: Valid description, not yet implemented.
400 .\"Return the statistics stored in the audit system.
405 Return the current auditing condition.
411 value which will be set to
412 the current audit condition, one of
419 section above for more information.
421 Send a trigger to the audit daemon.
427 value set to one of the acceptable
429 .Dv AUDIT_TRIGGER_LOW_SPACE
430 (low disk space where the audit log resides),
431 .Dv AUDIT_TRIGGER_OPEN_NEW
432 (open a new audit log file),
433 .Dv AUDIT_TRIGGER_READ_FILE
437 .Dv AUDIT_TRIGGER_CLOSE_AND_DIE
438 (close the current log file and exit),
439 .Dv AUDIT_TRIGGER_NO_SPACE
440 (no disk space left for audit log file).
441 .Dv AUDIT_TRIGGER_ROTATE_USER
442 (request audit log file rotation).
443 .Dv AUDIT_TRIGGER_INITIALIZE
444 (initialize audit subsystem for Mac OS X only).
446 .Dv AUDIT_TRIGGER_EXPIRE_TRAILS
447 (request audit log file expiration).
454 function will fail if:
457 Returned by options not yet implemented.
459 A failure occurred while data transferred to or from
462 Illegal argument was passed by a system call.
464 The process does not have sufficient permission to complete
470 command is specific to the
472 and Mac OS X implementations, and is not present in Solaris.
477 .Xr getaudit_addr 2 ,
480 .Xr setaudit_addr 2 ,
484 The OpenBSM implementation was created by McAfee Research, the security
485 division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
486 It was subsequently adopted by the TrustedBSD Project as the foundation for
487 the OpenBSM distribution.
490 This software was created by McAfee Research, the security research division
491 of McAfee, Inc., under contract to Apple Computer Inc.
492 Additional authors include
497 The Basic Security Module (BSM) interface to audit records and audit event
498 stream format were defined by Sun Microsystems.
500 This manual page was written by
501 .An Tom Rhodes Aq trhodes@FreeBSD.org ,
502 .An Robert Watson Aq rwatson@FreeBSD.org ,
504 .An Wayne Salamon Aq wsalamon@FreeBSD.org .