auditon(2)

NAME | SYNOPSIS | DESCRIPTION | RETURN VALUES | ERRORS | USAGE | SUMMARY OF TRUSTED SOLARIS CHANGES | SEE ALSO

NAME

auditon– manipulate auditing

SYNOPSIS

cc [flags…] file … -lbsm -lsocket -lnsl -lintl [library…]


#include <sys/param.h>
#include <bsm/audit.h>

int auditon(int cmd, caddr_t data, int length);

DESCRIPTION

The auditon() function performs various audit subsystem control operations. The cmd argument designates the particular audit control command. The data argument is a pointer to command-specific data. The length argument is the length in bytes of the command-specific data.

The following commands are supported:

A_GETCOND

Return the system audit on/off/disabled condition in the integer long pointed to by data. The following values may be returned:

AUC_AUDITING

Auditing has been turned on.

AUC_NOAUDIT

Auditing has been turned off.

AUC_DISABLED

Auditing package installed, not turned on.

A_SETCOND

Set the system's audit on/off condition to the value in the integer long to which data points. The following audit states may be set:

AUC_AUDITING

Turns on audit record generation.

AUC_NOAUDIT

Turns off audit record generation.

A_GETCLASS

Return the event to class mapping for the designated audit event. The data argument points to the au_evclass_map structure containing the event number. The preselection class mask is returned in the same structure.

A_SETCLASS

Set the event class preselection mask for the designated audit event. The data argument points to the au_evclass_map structure containing the event number and class mask.

A_GETKMASK

Return the kernel preselection mask in the au_mask structure pointed to by data. This is the mask used to preselect non-attributable audit events.

A_SETKMASK

Set the kernel preselection mask. The data argument points to the au_mask structure containing the class mask. This is the mask used to preselect non-attributable audit events.

A_GETPINFO

Return the audit ID, preselection mask, terminal ID and audit session ID of the specified process in the auditpinfo structure pointed to by data.

A_SETPMASK

Set the preselection mask of the specified process. The data argument points to the auditpinfo structure containing the process ID and the preselection mask. The other fields of the structure are ignored and should be set to NULL.

A_SETUMASK

Set the preselection mask for all processes with the specified audit ID. The data argument points to the auditinfo structure containing the audit ID and the preselection mask. The other fields of the structure are ignored and should be set to NULL.

A_SETSMASK

Set the preselection mask for all processes with the specified audit session ID. The data argument points to the auditinfo structure containing the audit session ID and the preselection mask. The other fields of the structure are ignored and should be set to NULL.

A_GETQCTRL

Return the kernel audit queue control parameters. These control the high and low water marks of the number of audit records allowed in the audit queue. The high water mark is the maximum allowed number of undelivered audit records. The low water mark determines when threads blocked on the queue are wakened. Another parameter controls the size of the data buffer used by auditsvc(2) to write data to the audit trail. There is also a parameter that specifies a maximum delay before data is attempted to be written to the audit trail. The audit queue parameters are returned in the au_qctrl structure pointed to by data.

A_SETQCTRL

Set the kernel audit queue control parameters as described above in the A_GETQCTRL command. The data argument points to the au_qctrl structure containing the audit queue control parameters. The default and maximum values 'A/B' for the audit queue control parameters are:

high water

100/10000 (audit records)

low water

10/1024 (audit records)

output buffer size

1024/1048576 (bytes)

delay

20/20000 (hundredths second)

A_GETCWD

Return the current working directory as kept by the audit subsystem. This is a path anchored on the real root, rather than on the active root. The data argument points to a buffer into which the path is copied. The length argument is the length of the buffer.

A_GETCAR

Return the current active root as kept by the audit subsystem. This path may be used to anchor an absolute path for a path token generated by an application. The data argument points to a buffer into which the path is copied. The length argument is the length of the buffer.

A_GETSTAT

Return the system audit statistics in the audit_stat structure pointed to by data.

A_SETSTAT

Reset system audit statistics values. The kernel statistics value is reset if the corresponding field in the statistics structure pointed to by the data argument is CLEAR_VAL. Otherwise, the value is not changed.

A_SETFSIZE

Set the maximum size of an audit trail file. When the audit file reaches the designated size, it is closed and a new file started. If the maximum size is unset, the audit trail file generated by auditsvc() will grow to the size of the file system. The data argument points to the au_fstat_t structure containing the maximum audit file size in bytes. The size can not be set less than 0x80000 bytes.

A_GETFSIZE

Return the maximum audit file size and current file size in the au_fstat_t structure pointed to by the data argument.

A_GETPOLICY

Return the audit policy flags in the integer long pointed to by data.

A_SETPOLICY

Set the audit policy flags to the values in the integer long pointed to by data.

A process must have PRIV_SYS_AUDIT, PRIV_PROC_AUDIT_TCB, or PRIV_PROC_AUDIT_APPL in its set of effective privileges in order to successfully execute these commands: A_GETCOND, A_GETCLASS, A_GETPINFO, A_GETCWD, A_GETCAR, and A_GETPOLICY.

A process must have PRIV_SYS_AUDIT in its set of effective privileges in order to successfully execute these commands: A_SETCOND, A_SETCLASS, A_GETKMASK, A_SETKMASK, A_SETPMASK, A_SETUMASK, A_SETSMASK, A_GETQCTRL, A_SETQCTRL, A_GETSTAT, A_SETSTAT, and A_SETPOLICY.

Policy Flags

AUDIT_ACL

Include in the audit data an ACL attribute for each object accessed. Note that regardless of policy, if there is no ACL associated with an object, an attribute will not be generated. This information is not included by default.

AUDIT_AHLT

Halt the machine if an asynchronous audit event occurs that cannot be delivered because the audit queue has reached the high-water mark or because there are insufficient resources to construct an audit record.

AUDIT_CNT

Do not suspend processes when audit storage is full or inaccessible. The default action is to suspend processes until storage becomes available.

AUDIT_ARGV

Include in the audit record the argument list for the exec(2) system call. The default action is not to include this information.

AUDIT_ARGE

Include in the audit record the environment variables for the execv(2) system call. The default action is not to include this information.

AUDIT_SEQ

Add a sequence token to each audit record. The default action is not to include this token.

AUDIT_TRAIL

Append a trailer token to each audit record. The default action is not to include this token.

AUDIT_GROUP

Include the supplementary groups list in audit records. The default action is not to include it.

AUDIT_SLABEL

Include slabels in audit records. The default action is to include slabels in audit records.

AUDIT_PASSWD

Include as part of the audit record any bad authentication data encountered during a login operation. The default action is not to include the password in the audit record.

AUDIT_PATH

Include secondary paths in audit records. Examples of secondary paths are dynamically loaded, shared library modules and the command shell path for executable scripts.

AUDIT_WINDATA_DOWN

Include in an audit record any downgraded data moved between windows. By default, this data is not included.

AUDIT_WINDATA_UP

Include in an audit record any upgraded data moved between windows. By default, this data is not included.

RETURN VALUES

auditon() returns:

0

On success.

-1

On failure, and sets errno to indicate the error.

ERRORS

The auditon() function will fail if:

E2BIG

The length field for the command was too small to hold the returned value.

EFAULT

The copy of data to/from the kernel failed.

EINVAL

One of the system call arguments was illegal..

EPERM

The process did not have the appropriate privilege in its effective set.

USAGE

The auditon() function may be invoked only by privileged processes.

SUMMARY OF TRUSTED SOLARIS CHANGES

These policy flags have been added in the Trusted Solaris operating environment: AUDIT_ACL, AUDIT_AHLT, AUDIT_SLABEL, AUDIT_PASSWD, AUDIT_WINDATA_DOWN, and AUDIT_WINDATA_UP. The DESCRIPTION section explains which privileges are required to use which audit-control commands.

SEE ALSO

Trusted Solaris 8 HW 12/02 Reference Manual

auditd(1M), audit(2), auditsvc(2), audit.log(4)

Trusted Solaris Audit Administration

SunOS 5.8 Reference Manual

attributes(5)

Trusted Solaris 8 HW 12/02  Last Revised 20 Feb 2001

NAME | SYNOPSIS | DESCRIPTION | RETURN VALUES | ERRORS | USAGE | SUMMARY OF TRUSTED SOLARIS CHANGES | SEE ALSO