Linux Certif

Toute la documentation sur la certification Linux LPI

Rechercher une page de manuel

auditon

BSD mandoc

NAME

auditon - Configure system audit parameters

SYNOPSIS

In bsm/audit.h Ft int Fn auditon int cmd void *data u_int length

DESCRIPTION

The system call is used to manipulate various audit control operations. Ft *data should point to a structure whose type depends on the command. Ft length specifies the size of the data in bytes. Ft cmd may be any of the following:

A_SETPOLICY

Set audit policy flags. Ft *data must point to a long value set to one of the audit policy control values defined in audit.h Currently, only AUDIT_CNT and AUDIT_AHLT are implemented. In the AUDIT_CNT case, the action will continue regardless if an event will not be audited. In the AUDIT_AHLT case, a panic(9) will result if an event will not be written to the audit log file.

A_SETKAUDIT

Return Er ENOSYS .

A_SETKMASK

Set the kernel preselection masks (success and failure). Ft *data must point to a Ft au_mask_t structure containing the mask values. These masks are used for non-attributable audit event preselection.

A_SETQCTRL

Set kernel audit queue parameters. Ft *data must point to a Ft au_qctrl_t structure containing the kernel audit queue control settings: high water low water output buffer size percent min free disk space and delay (not currently used).

A_SETSTAT

Return Er ENOSYS .

A_SETUMASK

Return Er ENOSYS .

A_SETSMASK

Return Er ENOSYS .

A_SETCOND

Set the current auditing condition. Ft *data must point to a long value containing the new audit condition, one of AUC_AUDITING AUC_NOAUDIT or AUC_DISABLED

A_SETCLASS

Set the event class preselection mask for an audit event. Ft *data must point to a Ft au_evclass_map_t structure containing the audit event and mask.

A_SETPMASK

Set the preselection masks for a process. Ft *data must point to a Ft auditpinfo_t structure that contains the given process's audit preselection masks for both success and failure.

A_SETFSIZE

Set the maximum size of the audit log file. Ft *data must point to a Ft au_fstat_t structure with the Ft af_filesz field set to the maximum audit log file size. A value of 0 indicates no limit to the size.

A_SETKAUDIT

Return Er ENOSYS .

A_GETCLASS

Return the event to class mapping for the designated audit event. Ft *data must point to a Ft au_evclass_map_t structure.

A_GETKAUDIT

Return Er ENOSYS .

A_GETPINFO

Return the audit settings for a process. Ft *data must point to a Ft auditpinfo_t structure which will be set to contain the audit ID, preselection mask, terminal ID, and audit session ID of the given process.

A_GETPINFO_ADDR

Return Er ENOSYS .

A_GETKMASK

Return the current kernel preselection masks. Ft *data must point to a Ft au_mask_t structure which will be set to the current kernel preselection masks for non-attributable events.

A_GETPOLICY

Return the current audit policy setting. Ft *data must point to a long value which will be set to one of the current audit policy flags. Currently, only AUDIT_CNT and AUDIT_AHLT are implemented.

A_GETQCTRL

Return the current kernel audit queue control parameters. Ft *data must point to a Ft au_qctrl_t structure which will be set to the current kernel audit queue control parameters.

A_GETFSIZE

Returns the maximum size of the audit log file. Ft *data must point to a Ft au_fstat_t structure. The Ft af_filesz field will be set to the maximum audit log file size. A value of 0 indicates no limit to the size. The Ft af_currsz will be set to the current audit log file size.

A_GETCWD

Return Er ENOSYS .

A_GETCAR

Return Er ENOSYS .

A_GETSTAT

Return Er ENOSYS .

A_GETCOND

Return the current auditing condition. Ft *data must point to a long value which will be set to the current audit condition, either AUC_AUDITING or AUC_NOAUDIT

A_SENDTRIGGER

Send a trigger to the audit daemon. *data must point to a long value set to one of the acceptable trigger values: AUDIT_TRIGGER_LOW_SPACE (low disk space where the audit log resides), AUDIT_TRIGGER_OPEN_NEW (open a new audit log file), AUDIT_TRIGGER_READ_FILE (read the audit_control file), AUDIT_TRIGGER_CLOSE_AND_DIE (close the current log file and exit), or AUDIT_TRIGGER_NO_SPACE (no disk space left for audit log file).

RETURN VALUES

Rv -std

ERRORS

The Fn auditon function will fail if:

Bq Er ENOSYS

Returned by options not yet implemented.

Bq Er EFAULT

A failure occurred while data transferred to or from the kernel failed.

Bq Er EINVAL

Illegal argument was passed by a system call.

Bq Er EPERM

The process does not have sufficient permission to complete the operation.

The A_SENDTRIGGER command is specific to the Fx and Mac OS X implementations, and is not present in Solaris.

SEE ALSO

audit(2), auditctl(2), getauid(2), setauid(2), getaudit(2), setaudit(2), getaudit_addr2, setaudit_addr2, libbsm(3)

AUTHORS

This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.

The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems.

This manual page was written by An Tom Rhodes Aq trhodes@FreeBSD.org , An Robert Watson Aq rwatson@FreeBSD.org , and An Wayne Salamon Aq wsalamon@FreeBSD.org .

HISTORY

The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer Inc. in 2003. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution.