Sun and OracleChannel SunHow to BuyLog InEnglish

man Pages(2): System Calls
  Search only this book
Search Help
Contained Within
Find More Documentation
Featured Support Resources
 Download this book in PDF

NAME

auditon - manipulate auditing

SYNOPSIS

cc [ flag . . . ] file . . . -lbsm -lsocket -lnsl -lintl [ library . . . ]
#include <sys/param.h>
#include <bsm/audit.h>
int auditon(int cmd, caddr_t data, int length);

DESCRIPTION

The auditon( ) system call performs various audit subsystem control operations. The cmd argument designates the particular audit control command. The data argument is a pointer to command-specific data. The length argument is the length in bytes of the command-specific data.
The auditon( ) system call may be invoked only by processes with super-user privileges.
The following commands are supported:
A_GETCOND
Returns the system audit on/off/disabled condition in the integer long pointed to by data. The following values may be returned:
AUC_AUDITING
Auditing has been turned on.
AUC_NOAUDIT
Auditing has been turned off.
AUC_DISABLED
Auditing package installed, not turned on.
A_SETCOND
Sets the system's audit on/off condition to the value in the integer long pointed to by data. The BSM audit module must be enabled by bsmconv(1M) before auditing can be turned on. The following audit states may be set:
AUC_AUDITING
Turns on audit record generation.
AUC_NOAUDIT
Turns off audit record generation.
A_GETCLASS
Returns the event to class mapping for the designated audit event. The data argument points to the au_evclass_map structure containing the event number. The preselection class mask is returned in the same structure.
A_SETCLASS
Sets the event class preselection mask for the designated audit event. The data argument points to the au_evclass_map structure containing the event number and class mask.
A_GETKMASK
Returns the kernel preselection mask in the au_mask structure pointed to by data. This is the mask used to preselect non-attributable audit events.
A_SETKMASK
Sets the kernel preselection mask. The data argument points to the au_mask structure containing the class mask. This is the mask used to preselect nonattributable audit events.
A_GETPINFO
Returns the audit ID ,preselection mask, terminal ID and audit session ID of the specified process in the auditpinfo structure pointed to by data.
A_SETPMASK
       Sets the preselection mask of the specified process. The data argument points to
       the auditpinfo structure containing the process ID and the preselection mask.
       The other fields of the structure are ignored and should be set to NULL .
A_SETUMASK
Sets the preselection mask for all processes with the specified audit ID . The data argument points to the auditinfo structure containing the audit ID and the preselection mask. The other fields of the structure are ignored and should be set to NULL .
A_SETSMASK
Sets the preselection mask for all processes with the specified audit session ID . The data argument points to the auditinfo structure containing the audit session ID and the preselection mask. The other fields of the structure are ignored and should be set to NULL .
A_GETQCTRL
Returns the kernel audit queue control parameters. These control the high and low water marks of the number of audit records allowed in the audit queue. The high water mark is the maximum allowed number of undelivered audit records. The low water mark determines when threads blocked on the queue are wakened. Another parameter controls the size of the data buffer used by auditsvc(2) to write data to the audit trail. There is also a parameter that specifies a maximum delay before data is attempted to be written to the audit trail. The audit queue parameters are returned in the au_qctrl structure pointed to by data.
A_SETQCTRL
Sets the kernel audit queue control parameters as described above in the A_GETQCTRL command. The data argument points to the au_qctrl structure containing the audit queue control parameters. The default and maximum values 'A/B' for the audit queue control parameters are:
high water
100/10000 (audit records)
low water
10/1024 (audit records)
output buffer size
1024/1048576 (bytes)
delay
20/20000 (hundredths second)
A_GETCWD
Returns the current working directory as kept by the audit subsystem. This is a path anchored on the real root, rather than on the active root. The data argument points to a buffer into which the path is copied. The length argument is the length of the buffer.
A_GETCAR
Returns the current active root as kept by the audit subsystem. This path may be used to anchor an absolute path for a path token generated by an application.
The data argument points to a buffer into which the path is copied. The length argument is the length of the buffer.
A_GETSTAT
       Returns the system audit statistics in the audit_stat structure pointed to by data.
A_SETSTAT
Resets system audit statistics values. The kernel statistics value is reset if the corresponding field in the statistics structure pointed to by the data argument is CLEAR_VAL . Otherwise, the value is not changed.
A_SETFSIZE
Sets the maximum size of an audit trail file. When the audit file reaches the designated size, it is closed and a new file started. If the maximum size is unset, the audit trail file generated by auditsvc( ) will grow to the size of the file system. The data argument points to the au_fstat_t structure containing the maximum audit file size in bytes. The size can not be set less than 0x80000 bytes.
A_GETFSIZE
       Returns the maximum audit file size and current file size in the au_fstat_t struc-
       ture pointed to by the data argument.
A_GETPOLICY
Returns the audit policy flags in the integer long pointed to by data.
A_SETPOLICY
Sets the audit policy flags to the values in the integer long pointed to by data. The following policy flags are recognized:
AUDIT_CNT
Do not suspend processes when audit storage is full
or inaccessible. The default action is to suspend
processes until storage becomes available.
AUDIT_AHLT
Halt the machine when a non-attributable audit
record can not be delivered. The default action is to
count the number of events that could not be
recorded.
AUDIT_ARGV
Include the argument list for the exec(2) system call
in the audit record. The default action is not to
include this information.
AUDIT_ARGE
Include the environment variables for the execv (2)
system call in the audit record. The default action is
not to include this information.
AUDIT_SEQ
Add a sequence token to each audit record. The
default action is not to include it.
AUDIT_TRAIL
Append a trailer token to each audit record. The
default action is not to include it.
AUDIT_GROUP
Include the supplementary groups list in audit
records. The default action is not to include it.
AUDIT_PATH
Include secondary paths in audit records. Examples
of secondary paths are dynamically loaded shared
library modules and the command shell path for exe-
cutable scripts. The default action is to include only
the primary path from the system call.

RETURN VALUES

auditon( ) returns:
0
On success.
-1
On failure, and sets errno to indicate the error.

ERRORS

EFAULT
The copy of data to/from the kernel failed.
EINVAL
One of the system call arguments was illegal.
EINVAL
BSM has not been installed.
EPERM
The process's effective user ID is not super-user.

SEE ALSO

auditconfig(1M), auditd(1M), bsmconv(1M), audit(2), auditsvc(2), exec(2), audit.log(4)

NOTES

The functionality described in this man page is available only if the Basic Security Module (BSM) has been enabled. See bsmconv(1M) for more information.