Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

audcntl(2) [ultrix man page]

audcntl(2)							System Calls Manual							audcntl(2)

Name
       audcntl - audit control

Syntax
       #include <sys/audit.h>

       audcntl(request, argp, len, flag, audit_id)
       int request;
       char *argp;
       int len;
       int flag;
       audit_ID_t audit_id;

Description
       The  system  call provides control over options offered by the audit subsystem. All requests, except where noted otherwise, are privileged.
       The following list describes the requests:

       GET_SYS_AMASK and SET_SYS_AMASK
	      The system auditmask determines which system events are logged.  GET_SYS_AMASK copies the system auditmask into a buffer pointed	at
	      by  argp.   SET_SYS_AMASK  copies  from a buffer pointed at by argp into the system auditmask.  Each of these operations returns the
	      number of bytes transferred between the user's buffer and the auditmask.	Len is the size of the user's buffer. The amount  of  data
	      moved between the auditmask and the user's buffer is the smaller of the auditmask size and the buffer size.

       GET_TRUSTED_AMASK and SET_TRUSTED_AMASK
	      The  trusted  auditmask  determines  which  trusted events are logged.  GET_TRUSTED_AMASK copies the trusted auditmask into a buffer
	      pointed at by argp.  SET_TRUSTED_AMASK copies from a buffer pointed at by argp into the trusted auditmask. Each of these	operations
	      returns  the  number  of	bytes transferred between the user's buffer and the auditmask.	Len is the size of the user's buffer.  The
	      amount of data moved between the auditmask and the user's buffer is the smaller of the auditmask size and the buffer size.

       GET_PROC_AMASK and SET_PROC_AMASK
	      The process auditmask determines (along with the system masks) which system events and trusted events are  logged  for  the  current
	      process.	 GET_PROC_AMASK  copies  the  process  auditmask  into	a buffer pointed at by argp.  The size of the process auditmask is
	      SYSCALL_MASK_LEN+TRUSTED_MASK_LEN, and contains a syscall mask followed by a trusted event mask.	SET_PROC_AMASK copies  the  values
	      from  a  buffer  pointed	at  by	argp  into the process auditmask. Each of these operations returns the number of bytes transferred
	      between the user's buffer and the auditmask.  Len is the size of the user's buffer. The amount of data moved between  the  auditmask
	      and the user's buffer is the smaller of the auditmask size and the buffer size.

       GET_PROC_ACNTL and SET_PROC_ACNTL
	      GET_PROC_ACNTL  returns  the  audit  control  flags (the audcntl byte) of the current process (see ).  Audit control flags determine
	      whether auditing for the process is on or off, and if on, how the auditmasks are combined.  A value of AUDIT_OFF indicates audit	is
	      off for that process.  A value of AUDIT_AND or AUDIT_OR indicates the process auditmask is logically AND'ed or OR'ed with the system
	      auditmask.  A value of AUDIT_USR indicates the process auditmask is  used  for  that  process;  the  system  auditmask  is  ignored.
	      SET_PROC_ACNTL assigns the values of the audit control flags from flag and returns the previous values of the flags.

       GET_AUDSWITCH and SET_AUDSWITCH
	      GET_AUDSWITCH  returns  the value of the system audit switch.  A return value of 1 indicates auditing is turned on.  A value of zero
	      indicates auditing is turned off.  SET_AUDSWITCH assigns the value of flag to the system audit switch and returns the previous audit
	      switch value.  A value of 1 turns auditing on.  A value of zero turns auditing off.

       FLUSH_AUD_BUF
	      Flushes the kernel audit buffer out to

       GETPAID and SETPAID
	      GETPAID  returns the audit ID of the calling process.  The GETPAID request does not require privilege.  SETPAID assigns the value of
	      audit_id to the process audit ID.  SETPAID is effective only if audit_id is greater than 0.

       GET_AUDSTYLE and SET_AUDSTYLE
	      The system auditing style supports two options to control how much additional information is recorded on exec operations.   GET_AUD-
	      STYLE  returns  the current value of the system audstyle flag.  SET_AUDSTYLE sets the system audstyle flag to the value of flag, and
	      returns the previous value of the audstyle flag.	A flag value of AUD_EXEC_ARGP enables the auditing of  the  argument  list  to	an
	      execv  or  execve  syscall.   A  flag  value  of AUD_EXEC_ENVP enables the auditing of the environment strings to an execv or execve
	      syscall.	Flag values may be OR'ed together.

Return Values
       The values returned for successful calls can be found under the description of the specific call request.

       If a call fails, a -1 is returned.

Diagnostics
       The call fails under the following conditions:

       [EFAULT]       The argp argument contains an invalid address.

       [EACCES]       The user does not have the privileges needed to perform this operation.

       [EINVAL]       The value of the len or request or audit_id argument is invalid.

       [EPERM]	      The user is not privileged to get or set the audit ID, or the user attempted to get the audit ID when it was not set.

       [EOPNOTSUPP]   The request argument contains an unsupported operation.

See Also
       Security Guide for Administrators
	Guide to Languages and Programming

																	audcntl(2)
Man Page