auditconfig(1M)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | EXIT STATUS | FILES | ATTRIBUTES | SUMMARY OF TRUSTED SOLARIS CHANGES | SEE ALSO

NAME

auditconfig– configure auditing

SYNOPSIS

auditconfig option…

DESCRIPTION

auditconfig provides a command line interface to get and set kernel audit parameters.

A process must have the PRIV_SYS_AUDIT, PRIV_PROC_AUDIT_TCB, or PRIV_PROC_AUDIT_APPL privilege in its set of effective privileges to use the -getasid, -getaudit, -getauid, -getcar, -getclass, -getcond, -getestate, -getpinfo, -getpolicy, -getcwd, and -gettid options.

A process must have the PRIV_SYS_AUDIT privilege in its set of effective privileges to use the -aconf, -audit, -chkaconf, -chkconf, -conf, -getfsize, -getkaudit, -getkmask, -getqbufsz, -getqctrl, -getqdelay, -getqhiwater, -getqlowater, -getstat, -setasid, -setaudit, -setauid, -setclass, -setcond, -setfsize, -setkaudit, -setkmask, -setpmask, -setpolicy, -setqbufsz, -setqctrl, -setqdelay, -setqhiwater, -setqlowater, -setsmask, -setstat, and -setumask options.

A process does not require privilege to use the -lsevent and -lspolicy options.

OPTIONS

-aconf

Sets the non-attributable audit mask from the audit_control(4) file. For example:

$ auditconfig -aconf Configured non-attributable events.

-audit event sorf retval string

Constructs an audit record for audit event event using the process's audit characteristics containing a text token string. The return token is constructed from the sorf (success/failure flag) and the retval (return value). The event is type char*, the sorf is 0/1 for success/failure, retval is an errno value, string is type *char. This command is useful for constructing an audit record with a shell script. An example of this option:

$ auditconfig -audit AUE_ftpd 0 0 "test string" $ audit record from audit trail: header,76,2,ftp access,,Fri Dec 08 08:44:02 2000, + 669 msec subject,abc,root,other,root,other,104449,102336,235 197121 elbow text,test string return,success,0

-chkaconf

Checks the configuration of the non-attributable events set in the kernel against the entries in audit_control(4). If the runtime class mask of a kernel audit event does not match the configured class mask, a mismatch is reported.

-chkconf

Checks the configuration of kernel audit event to class mappings. If the runtime class mask of a kernel audit event does not match the configured class mask, a mismatch is reported.

-conf

Configures kernel audit event to class mappings. Runtime class mappings are changed to match those in the audit event to class database file.

-getasid

Prints the audit session ID of the current process. For example:

$ auditconfig -getasid audit session id = 102336

-getaudit

Returns the audit characteristics of the current process. For example:

$ auditconfig -getaudit audit id = abc(666) process preselection mask = lo(0x1000,0x1000) terminal id (maj,min,host) = 235,197121,elbow(129.146.89.77) audit session id = 102336

-getauid

Prints the audit ID of the current process. For example:

$ auditconfig -getauid audit id = abc(666)

-getcar

Prints current active root location (anchored from root at system boot). For example:

$ auditconfig -getcar current active root = /

-getclass event

Displays the preselection mask associated with the specified kernel audit event. event is the kernel event number or event name.

-getcond

Displays the kernel audit condition. The condition displayed is the literal string auditing meaning auditing is enabled and turned on (the kernel audit module is constructing and queuing audit records) or noaudit meaning auditing is enabled but turned off (the kernel audit module is not constructing and queuing audit records), or disabled meaning that the audit module has not been enabled. See auditon(2) and auditd(1M) for further information.

-getestate event

For the specified event (string or event number), print out classes event has been assigned. For example:

$ auditconfig -getestate 20 audit class mask for event AUE_REBOOT(20) = 0x800 $ auditconfig -getestate AUE_RENAME audit class mask for event AUE_RENAME(42) = 0x30

-getfsize

Returns the maximum audit file size in bytes and the current size of the audit file in bytes.

-getkaudit

Gets audit characteristics of machine. For example:

$ auditconfig -getkaudit audit id = unknown(-2) process preselection mask = lo,na(0x1400,0x1400) terminal id (maj,min,host) = 0,0,(0.0.0.0) audit session id = 0

-getkmask

Gets non-attributable pre-selection mask for machine. For example:

$ auditconfig -getkmask audit flags for non-attributable events = lo,na(0x1400,0x1400)

-getpinfo pid

Displays the audit ID, preselection mask, terminal ID, and audit session ID for the specified process.

-getpolicy

Displays the kernel audit policy.

-getcwd

Prints current working directory (anchored from root at system boot). For example:

$ cd /usr/tmp $ auditconfig -getcwd current working directory = /var/tmp

-getqbufsz

Gets audit queue write buffer size. For example:

$ auditconfig -getqbufsz audit queue buffer size (bytes) = 1024

-getqctrl

Gets audit queue write buffer size, audit queue hiwater mark, audit queue lowater mark, audit queue prod interval (ticks).

$ auditconfig -getqctrl audit queue hiwater mark (records) = 100 audit queue lowater mark (records) = 10 audit queue buffer size (bytes) = 1024 audit queue delay (ticks) = 20

-getqdelay

Gets interval at which audit queue is prodded to start output. For example:

$ auditconfig -getqdelay audit queue delay (ticks) = 20

-getqhiwater

Gets high water point in undelivered audit records when audit generation will block. For example:

$ ./auditconfig -getqhiwater audit queue hiwater mark (records) = 100

-getqlowater

Gets low water point in undelivered audit records where blocked processes will resume. For example:

$ auditconfig -getqlowater audit queue lowater mark (records) = 10

-getstat

Prints current audit statistics information. For example:

$ auditconfig -getstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem 910 1 725 184 0 910 910 0 231 0 88 48

-gettid

Prints audit terminal ID for current process. For example:

$ auditconfig -gettid terminal id (maj,min,host) = 235,197121,elbow(129.146.89.77)

-lsevent

Displays the currently configured (runtime) kernel and user level audit event information.

-lspolicy

Displays the kernel audit policies with a description of each policy.

-setasid session-ID [cmd]

Executes shell or cmd with specified session-ID. For example:

$ ./auditconfig -setasid 2000 /bin/ksh $ $ ./auditconfig -getpinfo 104485 audit id = abc(666) process preselection mask = lo(0x1000,0x1000) terminal id (maj,min,host) = 235,197121,elbow(129.146.89.77) audit session id = 2000

-setaudit audit-ID preselect_flags term-ID session-ID [cmd]

Executes shell or cmd with the specified audit characteristics.

-setauid audit-ID [cmd]

Executes shell or cmd with the specified audit–ID.

-setclass event audit_flag[,audit_flag . . .]

Maps the kernel event event to the classes specified by audit_flags. event is an event number or name. An audit_flag is a two-character string representing an audit class. See audit_control(4) for further information.

-setcond [auditing|noaudit|nospace]

Sets the kernel audit condition to the condition specified where condition is the literal string auditing, indicating auditing should be enabled; noaudit, indicating auditing should be disabled; or nospace, which forces a no-space condition. (See -getcond, above.)

-setfsize size

Sets the maximum size of an audit file to size bytes. When the size limit is reached, the audit file is closed and another is started.

-setkaudit IP-address_type IP_address

Sets IP address of machine to specified values. IP-address_type is ipv6 or ipv4.

-setkmask audit_flags

Sets non-attributes selection flags of machine.

-setpmask pid flags

Sets the preselection mask of the specified process. flags is the text representation of the flags similar to that in audit_control(4).

-setpolicy[+|-]policy_flag[,policy_flag ...]

Sets the kernel audit policy. A policy policy_flag is literal strings that denotes an audit policy. A prefix of + adds the policies specified to the current audit policies. A prefix of - removes the policies specified from the current audit policies. The following are the valid policy flag strings ( auditconfig -lspolicy also lists the current valid audit policy flag strings):

all

Include all policies.

acl

Include in the audit data an ACL attribute for each object accessed. Note that regardless of policy, if there is no ACL associated with an object, an attribute will not be generated. This information is not included by default.

ahlt

Halt the machine if an asynchronous audit event occurs that cannot be delivered because the audit queue has reached the high-water mark or because there are insufficient resources to construct an audit record. By default, records are dropped and a count is kept of the number of dropped records.

arge

Include the execv(2) system call environment arguments to the audit record. This information is not included by default.

argv

Include the execv(2) system call parameter arguments to the audit record. This information is not included by default.

cnt

Do not suspend processes when audit resources are exhausted. Instead, drop audit records and keep a count of the number of records dropped. By default, process are suspended until audit resources become available.

group

Include the supplementary group token in audit records. By default, the group token is not included.

none

Include no policies.

slabel

Include slabels in audit records. This information is included by default.

passwd

Include as part of the audit record any bad authentication data encountered during a login operation. The default action is not to include the password in the audit record.

path

Add secondary path tokens to audit record. These are typically the pathnames of dynamically linked shared libraries or command interpreters for shell scripts. By default, they are not included.

trail

Include the trailer token in every audit record. By default, the trailer token is not included.

seq

Include the sequence token as part of every audit record. By default, the sequence token is not included. The sequence token attaches a sequence number to every audit record.

windata_down

Include in an audit record any downgraded data moved between windows. By default, this information is not included.

windata_up

Include in an audit record any upgraded data moved between windows. By default, this information is not included.

-setqbufsz buffer_size

Sets the audit queue write buffer size (bytes).

-setqctrl hiwater lowater bufsz interval

Sets the audit queue write buffer size (bytes), hiwater audit record count, lowater audit record count, and wakeup interval (ticks).

-setqdelay interval

Sets the audit queue wakeup interval (ticks). This determines the interval at which the kernel pokes the audit queue, to write audit records to the audit trail.

-setqhiwater hiwater

Sets the number of undelivered audit records in the audit queue at which audit record generation blocks.

-setqlowater lowater

Sets the number of undelivered audit records in the audit queue at which blocked auditing processes unblock.

-setsmask asid flags

Sets the preselection mask of all processes with the specified audit session ID.

-setstat

Resets audit statistics counters.

-setumask auid flags

Sets the preselection mask of all processes with the specified audit ID.

EXAMPLES

---

Example 1 A sample auditconfig program




# # map kernel audit event number 10 to the "fr" audit class # $ auditconfig -setclass 10 fr # # turn on inclusion of exec arguments in exec audit records # $ auditconfig -setpolicy +argv

---

EXIT STATUS

0

Successful completion.

1

An error occurred.

FILES

/etc/security/audit_event

Audit event definition and class mappings.

/etc/security/audit_class

Audit class definitions.

ATTRIBUTES

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWcsu

SUMMARY OF TRUSTED SOLARIS CHANGES

This functionality is active only if auditing is enabled. By default, auditing is enabled in the Trusted Solaris environment. By default, the machine halts when audit files run out of disk space. The Trusted Solaris environment adds programming interfaces, audit classes, and audit events.

The following policy flags have been added to the Trusted Solaris auditing module: acl, ahlt, slabel, passwd, windata_down, and windata_up.

Most options to the auditconfig command require that a process have one of the following privileges in its set of effective privileges: PRIV_SYS_AUDIT, PRIV_PROC_AUDIT_TCB, and PRIV_PROC_AUDIT_APPL. See the DESCRIPTION section for the privilege that each option requires. The -lsevent and -lspolicy options do not require privilege to succeed.

SEE ALSO

Trusted Solaris 8 HW 12/02 Reference Manual

auditd(1M), praudit(1M), auditon(2), execv(2), audit_class(4), audit_control(4), audit_event(4)

Trusted Solaris Audit Administration

SunOS 5.8 Reference Manual

attributes(5)

Trusted Solaris 8 HW 12/02  Last Revised 25 Oct 2002

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | EXIT STATUS | FILES | ATTRIBUTES | SUMMARY OF TRUSTED SOLARIS CHANGES | SEE ALSO