NAME

auditconfig - Configure auditing

SYNOPSIS

auditconfig [ args ]

AVAILABILITY

SUNWcsu

DESCRIPTION

auditconfig provides a command-line interface to get and set kernel audit parameters.

OPTIONS

-chkconf

Check the configuration of kernel audit event-to-class mappings. If the runtime class mask of a kernel audit event does not match the configured class mask, a mismatch is reported.

-conf

Configure kernel audit event-to-class mappings. Runtime class mappings are changed to match those in the audit event-to-class database file.

-getcond

Display the kernel audit condition. The condition displayed is a literal string: auditing means that auditing is enabled and turned on (the kernel audit module is constructing and queuing audit records); noaudit means that auditing is enabled but turned off (the kernel audit module is not constructing and queuing audit records); disabled means that the audit module has not been enabled. See auditon(2TSOL) and auditd(1MTSOL) for further information.

-setcond[auditing|noaudit]

Set the kernel audit condition to the condition specified by a literal string: auditing means that auditing should be enabled; noaudit means that auditing should be disabled.

-getclass event

Display the preselection mask associated with the specified kernel audit event. event is the kernel event number or event name.

-setclass event audit_flag[,audit_flag . . . ]

Map the kernel event event to the classes specified by audit_flags. event is an event number or name. An audit_flag is a two-character string representing an audit class. See audit_control(4TSOL) for further information.

-getkmask

Display the kernel preselection mask for nonattributable events.

-setkmask [+-] audit_flag [ ,audit_flag ... ]

Set the kernel preselection mask for nonattributable audit events to the classes specified by audit_flags. An audit_flag is a two-character string representing an audit class. The minus (-) modifier indicates that failure events in the represented class are audited. The plus (+) modifier indicates that success events in the represented class are audited. No modifier indicates that both success and failure events in the represented class are audited. See

audit_control(4TSOL) for further information.

-setkmaskac

Set the kernel preselection mask for nonattributable audit events to the classes defined by the naflags field of the

audit_control(4TSOL) file.

-lsevent

Display the currently configured (runtime) kernel and user-level audit-event information.

-getpinfo pid

Display the audit ID ,preselection mask, terminal ID ,and audit session ID for the specified process.

-setpmask pid flags

Set the preselection mask of the specified process. flags is the ASCII representation of the flags similar to that in audit_control(4TSOL).

-setsmask asid flags

Set the preselection mask of all processes with the specified audit session ID .

-setumask auid flags

Set the preselection mask of all processes with the specified audit ID .

-lspolicy

Display the kernel audit policies with a description of each policy.

-getpolicy

Display the kernel audit policy.

-setpolicy [ + | - ]policy_flag [ ,policy_flag ... ]

Set the kernel audit policy. A policy policy_flag is a literal string that denotes an audit policy. A prefix of plus (+) adds the policies specified to the current audit policies. A prefix of minus (-)

removes the policies specified from the current audit policies. The next section lists and describes the valid policy-flag strings (listed by auditconfig -lspolicy).

Policy Flags

acl

Include in the audit data an ACL attribute for each object accessed. Note that regardless of policy, if there is no ACL associated with an object, an attribute will not be generated. This information is not included by default.

ahlt

Halt the machine if an asynchronous audit event occurs that cannot be delivered because the audit queue has reached the high-water mark or because there are insufficient resources to construct an audit record. By default, records are dropped and a count is kept of the number of dropped records.

arge

Include the execv (2TSOL)system call environment arguments to the audit record. This information is not included by default.

argv

Include the execv (2TSOL)system call parameter arguments to the audit record. This information is not included by default.

cnt

Do not suspend processes when audit resources are exhausted. Instead, drop audit records and keep a count of the number of records dropped. By default, processes are suspended until audit resources become available.

group

Include the supplementary group token in audit records. By default, the group token is not included.

ilabel

Include ilabels in audit records. However, if ilabels are not enabled on this system, ilabels will not be generated regardless of this flag. This information is not included by default.

slabel

Include slabels in audit records. This information is included by default.

passwd

Include as part of the audit record any bad authentication data encountered during a login operation. The default action is not to include the password in the audit record.

path

Add secondary path tokens to audit record. These are typically the path names of dynamically linked, shared libraries or command interpreters for shell scripts. By default, they are not included.

trail

Include the trailer token in every audit record. By default, the trailer token is not included.

seq

Include the sequence token as part of every audit record. By default, the sequence token is not included. The sequence token attaches a sequence number to every audit record.

windata_down Include in an audit record any downgraded data moved between win-

dows. By default, this information is not included.

windata_up

Include in an audit record any upgraded data moved between windows. By default, this information is not included.

EXAMPLES

# map kernel audit event number 10 to the "fr" audit class

#
% auditconfig -setclass 10 fr

# turn on inclusion of exec arguments in exec audit records

#
% auditconfig -setpolicy +argv

RETURN VALUES

Upon success, auditconfig returns 0 .Upon failure, auditconfig returns 1 .

SUMMARY OF TRUSTED

By default, the audit module is enabled in the Trusted Solaris environment. By default, the machine halts when audit files run out of disk space. The Trusted Solaris environment adds programming interfaces, audit classes, and audit events.

SOLARIS CHANGES

These policy flags have been added to the Trusted Solaris auditing module: acl, ahlt, ilabel, slabel, passwd, windata_down, and windata_up.

FILES

/etc/security/audit_event

/etc/security/audit_class

SEE ALSO

auditd(1MTSOL), praudit(1MTSOL), auditon(2TSOL), execv (2TSOL), audit_class(4TSOL), audit_control(4TSOL), audit_event(4TSOL)

NOTES

This functionality is active only if the audit module has been enabled. By default, auditing is enabled in the Trusted Solaris environment. See Trusted Solaris Audit Administration Manual for how to disable and enable auditing.