audcntl(2) System Calls Manual audcntl(2)
Name
audcntl - audit control
Syntax
#include <sys/audit.h>
audcntl(request, argp, len, flag, audit_id)
int request;
char *argp;
int len;
int flag;
audit_ID_t audit_id;
Description
The system call provides control over options offered by the audit subsystem. All requests, except where noted otherwise, are privileged.
The following list describes the requests:
GET_SYS_AMASK and SET_SYS_AMASK
The system auditmask determines which system events are logged. GET_SYS_AMASK copies the system auditmask into a buffer pointed at
by argp. SET_SYS_AMASK copies from a buffer pointed at by argp into the system auditmask. Each of these operations returns the
number of bytes transferred between the user's buffer and the auditmask. Len is the size of the user's buffer. The amount of data
moved between the auditmask and the user's buffer is the smaller of the auditmask size and the buffer size.
GET_TRUSTED_AMASK and SET_TRUSTED_AMASK
The trusted auditmask determines which trusted events are logged. GET_TRUSTED_AMASK copies the trusted auditmask into a buffer
pointed at by argp. SET_TRUSTED_AMASK copies from a buffer pointed at by argp into the trusted auditmask. Each of these operations
returns the number of bytes transferred between the user's buffer and the auditmask. Len is the size of the user's buffer. The
amount of data moved between the auditmask and the user's buffer is the smaller of the auditmask size and the buffer size.
GET_PROC_AMASK and SET_PROC_AMASK
The process auditmask determines (along with the system masks) which system events and trusted events are logged for the current
process. GET_PROC_AMASK copies the process auditmask into a buffer pointed at by argp. The size of the process auditmask is
SYSCALL_MASK_LEN+TRUSTED_MASK_LEN, and contains a syscall mask followed by a trusted event mask. SET_PROC_AMASK copies the values
from a buffer pointed at by argp into the process auditmask. Each of these operations returns the number of bytes transferred
between the user's buffer and the auditmask. Len is the size of the user's buffer. The amount of data moved between the auditmask
and the user's buffer is the smaller of the auditmask size and the buffer size.
GET_PROC_ACNTL and SET_PROC_ACNTL
GET_PROC_ACNTL returns the audit control flags (the audcntl byte) of the current process (see ). Audit control flags determine
whether auditing for the process is on or off, and if on, how the auditmasks are combined. A value of AUDIT_OFF indicates audit is
off for that process. A value of AUDIT_AND or AUDIT_OR indicates the process auditmask is logically AND'ed or OR'ed with the system
auditmask. A value of AUDIT_USR indicates the process auditmask is used for that process; the system auditmask is ignored.
SET_PROC_ACNTL assigns the values of the audit control flags from flag and returns the previous values of the flags.
GET_AUDSWITCH and SET_AUDSWITCH
GET_AUDSWITCH returns the value of the system audit switch. A return value of 1 indicates auditing is turned on. A value of zero
indicates auditing is turned off. SET_AUDSWITCH assigns the value of flag to the system audit switch and returns the previous audit
switch value. A value of 1 turns auditing on. A value of zero turns auditing off.
FLUSH_AUD_BUF
Flushes the kernel audit buffer out to
GETPAID and SETPAID
GETPAID returns the audit ID of the calling process. The GETPAID request does not require privilege. SETPAID assigns the value of
audit_id to the process audit ID. SETPAID is effective only if audit_id is greater than 0.
GET_AUDSTYLE and SET_AUDSTYLE
The system auditing style supports two options to control how much additional information is recorded on exec operations. GET_AUD-
STYLE returns the current value of the system audstyle flag. SET_AUDSTYLE sets the system audstyle flag to the value of flag, and
returns the previous value of the audstyle flag. A flag value of AUD_EXEC_ARGP enables the auditing of the argument list to an
execv or execve syscall. A flag value of AUD_EXEC_ENVP enables the auditing of the environment strings to an execv or execve
syscall. Flag values may be OR'ed together.
Return Values
The values returned for successful calls can be found under the description of the specific call request.
If a call fails, a -1 is returned.
Diagnostics
The call fails under the following conditions:
[EFAULT] The argp argument contains an invalid address.
[EACCES] The user does not have the privileges needed to perform this operation.
[EINVAL] The value of the len or request or audit_id argument is invalid.
[EPERM] The user is not privileged to get or set the audit ID, or the user attempted to get the audit ID when it was not set.
[EOPNOTSUPP] The request argument contains an unsupported operation.
See Also
Security Guide for Administrators
Guide to Languages and Programming
audcntl(2)