Auditing brings a number of utilities to the Trusted Solaris operating environment. The utilities are listed here in four tables, that are ordered by man page section number. Each table gives utility names and a short description of the task performed by each utility. The fifth table gives the file system security attributes of files in the auditing subsystem.
Table C–1 Section 1M — Maintenance Commands
Command |
Task |
---|---|
Control the audit daemon |
|
Initialize the audit subsystem |
|
Run the audit daemon warning script |
|
Configure auditing |
|
Control audit trail files |
|
Merge and select audit records from audit trail files |
|
Display kernel audit statistics |
|
Print contents of an audit trail file |
|
/etc/init.d/audit stop |
Halt auditing [ a script; see init.d(4) ] |
/etc/init.d/audit start |
Restart auditing [ a script; see init.d(4) ] |
Table C–2 Section 2 — System Calls
System Call |
System Parameter |
Task |
---|---|---|
|
Write a record to the audit log |
|
|
Manipulate auditing: |
|
|
A_GETPOLICY |
Get audit policy flags |
|
A_SETPOLICY |
Set audit policy flags |
|
A_GETKMASK |
Get asynchronous audit event preselection mask |
|
A_SETKMASK |
Set asynchronous audit event preselection mask |
|
A_GETQCTRL |
Get the kernel audit queue control parameters |
|
A_SETQCTRL |
Set the kernel audit queue control parameters |
|
A_GETSTAT |
Get the audit system statistics |
|
A_SETSTAT |
Reset the audit system statistics |
|
A_GETCOND |
Determine if auditing is on/off/disabled |
|
A_SETCOND |
Set auditing to on/off |
|
A_GETFSIZE |
Get the size limit for an audit trail file |
|
A_GETCLASS |
Return the event to class mapping for the designated event |
|
A_SETCLASS |
Set the event to class mapping for the designated audit event |
|
A_GETPINFO |
Get the audit information for the specified process |
|
A_SETPMASK |
Set the preselection mask for a specified process |
|
A_SETUMASK |
Set the process mask for all processes of a specified audit ID |
|
A_SETSMASK |
Set the process mask for all processes of a specified session ID |
|
A_GETCWD |
Get the current working directory for this process |
|
A_GETCAR |
Get the current active root for this process |
|
Write audit log to specified file descriptor |
|
|
Get process audit information |
|
|
Set process audit information |
|
|
Get user audit identity |
|
|
Set user audit identity |
Table C–3 Section 3 — C Library Functions
Library Call |
Task |
---|---|
Preselect an audit event |
|
Get user's binary preselection mask |
|
getacdir(3BSM), getacmin(3BSM), getacflg(3BSM), getacna(3BSM), setac(3BSM), endac(3BSM) |
Get audit_control(4) file information |
getauclassnam(3BSM), getauclassnam_r(3BSM), getauclassent(3BSM), getauclassent_r(3BSM), setauclass(3BSM), endauclass(3BSM) |
Get audit_class(4) entries |
Convert audit flag specifications |
|
getauevent(3BSM), getauevent_r(3BSM), getauevnam(3BSM), getauevnam_r(3BSM), getauevnum(3BSM), getauevnum_r(3BSM), getauevnonam(3BSM), setauevent(3BSM), endauevent(3BSM) |
Get audit_event(4)entries |
getauusernam(3BSM), getauuserent(3BSM), setauuser(3BSM), endauuser(3BSM) |
Get audit_user(4) entries |
Generate the process audit state |
Table C–4 Section 4 — Headers, Tables, and Macros
Files |
Task |
---|---|
Gives format for an audit trail file |
|
Gives audit class definitions |
|
Controls information for system audit daemon |
|
Holds current information on the audit daemon |
|
Holds audit event definition and class mapping |
|
Holds per-user auditing information |
Table C–5 File System Security Attributes for the Audit Subsystem
Name |
Label |
DAC |
Owner |
Group |
---|---|---|---|---|
[ADMIN_LOW] |
555 |
bin |
bin |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/etc/init.d/audit* |
[ADMIN_LOW] |
400 |
root |
sys |
[ADMIN_LOW] |
640 |
root |
sys |
|
[ADMIN_LOW] |
750 |
root |
sys |
|
[ADMIN_HIGH] |
400 |
root |
root |
|
[ADMIN_LOW] |
400 |
root |
sys |
|
[ADMIN_LOW] |
400 |
root |
sys |
|
[ADMIN_HIGH] |
660 |
root |
root |
|
[ADMIN_LOW] |
400 |
root |
sys |
|
[ADMIN_LOW] |
400 |
root |
sys |