👤
Home Man
Search
Today's Posts
Register

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:
Select Section of Man Page:
Select Man Page Repository:

OpenSolaris 2009.06 - man page for auditon (opensolaris section 2)

auditon(2)				   System Calls 			       auditon(2)

NAME
       auditon - manipulate auditing

SYNOPSIS
       cc [ flag... ] file... -lbsm  -lsocket	-lnsl  [ library... ]
       #include <sys/param.h>
       #include <bsm/libbsm.h>

       int auditon(int cmd, caddr_t data, int length);

DESCRIPTION
       The  auditon() function performs various audit subsystem control operations. The cmd argu-
       ment designates the particular audit control command. The data argument is  a  pointer  to
       command-specific  data. The length argument is the length in bytes of the command-specific
       data.

       The following commands are supported:

       A_GETCOND

	   Return the system audit on/off/disabled condition in the integer pointed to	by  data.
	   The following values can be returned:

	   AUC_AUDITING    Auditing has been turned on.

	   AUC_DISABLED    Auditing system has not been enabled.

	   AUC_NOAUDIT	   Auditing has been turned off.

	   AUC_NOSPACE	   Auditing has blocked due to lack of space in audit partition.

       A_SETCOND

	   Set	the  system's  audit  on/off  condition to the value in the integer pointed to by
	   data. The BSM audit module must be enabled  by  bsmconv(1M)	before	auditing  can  be
	   turned on. The following audit states can be set:

	   AUC_AUDITING    Turns on audit record generation.

	   AUC_NOAUDIT	   Turns off audit record generation.

       A_GETCLASS

	   Return  the	event  to class mapping for the designated audit event. The data argument
	   points to the au_evclass_map structure containing the event number.	The  preselection
	   class mask is returned in the same structure.

       A_SETCLASS

	   Set	the  event class preselection mask for the designated audit event. The data argu-
	   ment points to the au_evclass_map structure containing  the	event  number  and  class
	   mask.

       A_GETKMASK

	   Return  the kernel preselection mask in the au_mask structure pointed to by data. This
	   is the mask used to preselect non-attributable audit events.

       A_SETKMASK

	   Set the kernel preselection mask. The data argument points to  the  au_mask	structure
	   containing  the  class mask. This is the mask used to preselect non-attributable audit
	   events.

       A_GETPINFO

	   Return the audit ID, preselection mask, terminal ID and audit session ID of the speci-
	   fied process in the auditpinfo structure pointed to by data.

	   Note that A_GETPINFO can fail if the termial ID contains a network address longer than
	   32 bits. In this case, the A_GETPINFO_ADDR command should be used.

       A_GETPINFO_ADDR

	   Returns the audit ID, preselection mask, terminal ID and audit session ID of the spec-
	   ified process in the auditpinfo_addr structure pointed to by data.

       A_SETPMASK

	   Set	the  preselection  mask of the specified process. The data argument points to the
	   auditpinfo structure containing the process ID and the preselection	mask.  The  other
	   fields of the structure are ignored and should be set to NULL.

       A_SETUMASK

	   Set	the  preselection  mask  for  all processes with the specified audit ID. The data
	   argument points to the auditinfo structure containing the audit ID and  the	preselec-
	   tion mask. The other fields of the structure are ignored and should be set to NULL.

       A_SETSMASK

	   Set	the  preselection mask for all processes with the specified audit session ID. The
	   data argument points to the auditinfo structure containing the audit  session  ID  and
	   the preselection mask. The other fields of the structure are ignored and should be set
	   to NULL.

       A_GETQCTRL

	   Return the kernel audit queue control parameters. These control the high and low water
	   marks  of  the number of audit records allowed in the audit queue. The high water mark
	   is the maximum allowed number of undelivered audit records. The low water mark  deter-
	   mines  when	threads  blocked on the queue are wakened. Another parameter controls the
	   size of the data buffer used to write data to the audit trail. There is also a parame-
	   ter that specifies a maximum delay before data is attempted to be written to the audit
	   trail. The audit queue parameters are returned in the au_qctrl structure pointed to by
	   data.

       A_SETQCTRL

	   Set	the  kernel  audit  queue control parameters as described above in the A_GETQCTRL
	   command. The data argument points to the au_qctrl structure containing the audit queue
	   control  parameters.  The default and maximum values 'A/B' for the audit queue control
	   parameters are:

	   high water		 100/10000 (audit records)

	   low water		 10/1024 (audit records)

	   output buffer size	 1024/1048576 (bytes)

	   delay		 20/20000 (hundredths second)

       A_GETCWD

	   Return the current working directory as kept by the audit subsystem. This  is  a  path
	   anchored on the real root, rather than on the active root. The data argument points to
	   a buffer into which the path is copied. The length argument is the length of the  buf-
	   fer.

       A_GETCAR

	   Return  the	current active root as kept by the audit subsystem. This path can be used
	   to anchor an absolute path for a path token generated  by  an  application.	The  data
	   argument  points to a buffer into which the path is copied. The length argument is the
	   length of the buffer.

       A_GETSTAT

	   Return the system audit statistics in the audit_stat structure pointed to by data.

       A_SETSTAT

	   Reset system audit statistics values. The kernel statistics value is reset if the cor-
	   responding  field  in  the  statistics  structure  pointed  to by the data argument is
	   CLEAR_VAL. Otherwise, the value is not changed.

       A_GETPOLICY

	   Return the audit policy flags in the integer pointed to by data.

       A_SETPOLICY

	   Set the audit policy flags to the values in the integer pointed to by data.	The  fol-
	   lowing policy flags are recognized:

	   AUDIT_CNT

	       Do  not	suspend processes when audit storage is full or inaccessible. The default
	       action is to suspend processes until storage becomes available.

	   AUDIT_AHLT

	       Halt the machine when a non-attributable audit record can not  be  delivered.  The
	       default action is to count the number of events that could not be recorded.

	   AUDIT_ARGV

	       Include	in  the audit record the argument list for a member of the exec(2) family
	       of functions. The default action is not to include this information.

	   AUDIT_ARGE

	       Include the environment variables for the execv(2) function in the  audit  record.
	       The default action is not to include this information.

	   AUDIT_SEQ

	       Add  a  sequence  token to each audit record. The default action is not to include
	       it.

	   AUDIT_TRAIL

	       Append a trailer token to each audit record. The default action is not to  include
	       it.

	   AUDIT_GROUP

	       Include	the supplementary groups list in audit records. The default action is not
	       to include it.

	   AUDIT_PATH

	       Include secondary paths in audit records. Examples of secondary paths are  dynami-
	       cally  loaded  shared  library  modules	and the command shell path for executable
	       scripts. The default action is to include only the primary path	from  the  system
	       call.

	   AUDIT_WINDATA_DOWN

	       Include	in an audit record any downgraded data moved between windows. This policy
	       is available only if the system is configured with Trusted Extensions. By default,
	       this information is not included.

	   AUDIT_WINDATA_UP

	       Include in an audit record any upgraded data moved between windows. This policy is
	       available only if the system is configured with Trusted	Extensions.  By  default,
	       this information is not included.

	   AUDIT_PERZONE

	       Enable  auditing for each local zone. If not set, audit records from all zones are
	       collected in a single log accessible in the  global  zone  and  certain	auditcon-
	       fig(1M)	operations  are  disallowed.  This policy can be set only from the global
	       zone.

	   AUDIT_ZONENAME

	       Generate a zone ID token with each audit record.

RETURN VALUES
       Upon successful completion, auditon() returns 0. Otherwise, -1 is returned  and	errno  is
       set to indicate the error.

ERRORS
       The auditon() function will fail if:

       E2BIG	 The length field for the command was too small to hold the returned value.

       EFAULT	 The copy of data to/from the kernel failed.

       EINVAL	 One  of  the arguments was illegal, BSM has not been installed, or the operation
		 is not valid from a local zone.

       EPERM	 The {PRIV_SYS_AUDIT} privilege is not asserted in the effective set of the call-
		 ing process.

		 Neither  the {PRIV_PROC_AUDIT} nor the {PRIV_SYS_AUDIT} privilege is asserted in
		 the effective set of the calling process and the command  is  one  of	A_GETCAR,
		 A_GETCLASS, A_GETCOND, A_GETCWD, A_GETPINFO, A_GETPOLICY.

USAGE
       The auditon() function can be invoked only by processes with appropriate privileges.

       The  use  of  auditon() to change system audit state is permitted only in the global zone.
       From any other zone auditon() returns -1 with errno set to EPERM. The following	auditon()
       commands  are  permitted  only  in  the	global	zone:  A_SETCOND, A_SETCLASS, A_SETKMASK,
       A_SETQCTRL, A_SETSTAT, A_SETFSIZE, and A_SETPOLICY. All other auditon() commands are valid
       from any zone.

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Committed 		   |
       +-----------------------------+-----------------------------+
       |MT-Level		     |MT-Safe			   |
       +-----------------------------+-----------------------------+

SEE ALSO
       auditconfig(1M),  auditd(1M), bsmconv(1M), audit(2), exec(2), audit.log(4), attributes(5),
       privileges(5)

NOTES
       The functionality described in this man page is available only if the Solaris Auditing has
       been enabled. See bsmconv(1M) for more information.

       The  auditon  options that modify or display process-based information are not affected by
       the "perzone" audit policy. Those that modify system audit data such as	the  terminal  ID
       and  audit  queue parameters are valid only in the global zone unless the "perzone" policy
       is set. The "get" options for system audit data reflect the local  zone	if  "perzone"  is
       set; otherwise they reflects the settings of the global zone.

SunOS 5.11				   20 May 2008				       auditon(2)


All times are GMT -4. The time now is 06:07 PM.

Unix & Linux Forums Content Copyrightę1993-2018. All Rights Reserved.
×
UNIX.COM Login
Username:
Password:  
Show Password