Appendix C Audit Reference

audit(1M)

Control the audit daemon 

audit_startup(1M)

Initialize the audit subsystem  

audit_warn(1M)

Run the audit daemon warning script 

auditconfig(1M)

Configure auditing 

auditd(1M)

Control audit trail files 

auditreduce(1M)

Merge and select audit records from audit trail files 

auditstat(1M)

Display kernel audit statistics 

praudit(1M)

Print contents of an audit trail file 

/etc/init.d/audit stop 

Halt auditing [ a script; see init.d(4) ]

/etc/init.d/audit start 

Restart auditing [ a script; see init.d(4) ]

audit(2)

Write a record to the audit log 

auditon(2)

Manipulate auditing: 

A_GETPOLICY 

Get audit policy flags 

A_SETPOLICY 

Set audit policy flags 

A_GETKMASK 

Get asynchronous audit event preselection mask 

A_SETKMASK 

Set asynchronous audit event preselection mask 

A_GETQCTRL 

Get the kernel audit queue control parameters 

A_SETQCTRL 

Set the kernel audit queue control parameters 

A_GETSTAT 

Get the audit system statistics 

A_SETSTAT 

Reset the audit system statistics 

A_GETCOND 

Determine if auditing is on/off/disabled 

A_SETCOND 

Set auditing to on/off 

A_GETFSIZE 

Get the size limit for an audit trail file 

A_GETCLASS 

Return the event to class mapping for the designated event 

A_SETCLASS 

Set the event to class mapping for the designated audit event 

A_GETPINFO 

Get the audit information for the specified process 

A_SETPMASK 

Set the preselection mask for a specified process 

A_SETUMASK 

Set the process mask for all processes of a specified audit ID 

A_SETSMASK 

Set the process mask for all processes of a specified session ID 

A_GETCWD 

Get the current working directory for this process 

A_GETCAR 

Get the current active root for this process 

auditsvc(2)

Write audit log to specified file descriptor 

getaudit(2)

Get process audit information 

setaudit(2)

Set process audit information 

getauid(2)

Get user audit identity 

setauid(2)

Set user audit identity 

au_preselect(3)

Preselect an audit event 

au_user_mask(3)

Get user's binary preselection mask 

getacdir(3), getacmin(3), getacflg(3), getacna(3), setac(3), endac(3)

Get audit_control(4) file information

getauclassnam(3), getauclassnam_r(3), getauclassent(3), getauclassent_r(3), setauclass(3), endauclass(3)

Get audit_class(4) entries

getauditflagsbin(3), getauditflagschar(3)

Convert audit flag specifications 

getauevent(3), getauevent_r(3), getauevnam(3), getauevnam_r(3), getauevnum(3), getauevnum_r(3), getauevnonam(3), setauevent(3), endauevent(3)

Get audit_event(4)entries

getauusernam(3), getauuserent(3), setauuser(3), endauuser(3)

Get audit_user(4) entries

getfauditflags(3)

Generate the process audit state 

audit.log(4)

Gives format for an audit trail file 

audit_class(4)

Gives audit class definitions 

audit_control(4)

Controls information for system audit daemon 

audit_data(4)

Holds current information on the audit daemon 

audit_event(4)

Holds audit event definition and class mapping 

audit_user(4)

Holds per-user auditing information 

audit(1M)

[ADMIN_LOW] 

555 

bin 

bin 

auditd(1M)

auditconfig(1M)

auditstat(1M)

auditreduce(1M)

praudit(1M)

/etc/init.d/audit* 

[ADMIN_LOW] 

400 

root 

sys 

audit_warn(1M)

[ADMIN_LOW] 

640 

root 

sys 

audit_startup(1M)

audit.log(4)

[ADMIN_HIGH] 

400 

root 

root 

audit_class(4)

[ADMIN_LOW] 

400 

root 

sys 

audit_control(4)

[ADMIN_LOW] 

400 

root 

sys 

audit_data(4)

ADMIN_LOW[ADMIN_LOW] 

660 

root 

root 

audit_event(4)

[ADMIN_LOW] 

400 

root 

sys 

audit_user(4)

[ADMIN_LOW] 

400 

root 

sys