AUDITON(2) System Calls AUDITON(2)
NAME
auditon - manipulate auditing
SYNOPSIS
cc [
flag... ]
file...
-lbsm -lsocket -lnsl [
library... ]
#include <sys/param.h>
#include <bsm/libbsm.h>
int auditon(
int cmd,
caddr_t data,
int length);
DESCRIPTION
The
auditon() function performs various audit subsystem control
operations. The
cmd argument designates the particular audit control
command. The
data argument is a pointer to command-specific data. The
length argument is the length in bytes of the command-specific data.
The following commands are supported:
A_GETCOND Return the system audit condition in the integer pointed to by
data.
The following values can be returned:
AUC_AUDITING Audit daemon is active.
AUC_INIT_AUDIT Audit is ready but auditd has not run.
AUC_NOAUDIT Audit daemon is not active.
AUC_NOSPACE Auditing has blocked due to lack of space in audit
partition.
A_SETCOND Set the system's audit on/off condition to the value in the integer
pointed to by
data. The following audit states can be set:
AUC_AUDITING Turns on audit record generation.
AUC_NOAUDIT Turns off audit record generation.
A_GETCLASS Return the event to class mapping for the designated audit event. The
data argument points to the
au_evclass_map structure containing the
event number. The preselection class mask is returned in the same
structure.
A_SETCLASS Set the event class preselection mask for the designated audit event.
The
data argument points to the
au_evclass_map structure containing
the event number and class mask.
A_GETKMASK Return the kernel preselection mask in the
au_mask structure pointed
to by
data. This is the mask used to preselect non-attributable audit
events.
A_SETKMASK Set the kernel preselection mask. The
data argument points to the
au_mask structure containing the class mask. This is the mask used to
preselect non-attributable audit events.
A_GETPINFO Return the audit ID, preselection mask, terminal ID and audit session
ID of the specified process in the
auditpinfo structure pointed to by
data.
Note that
A_GETPINFO can fail if the terminal ID contains a network
address longer than 32 bits. In this case, the
A_GETPINFO_ADDR command should be used.
A_GETPINFO_ADDR Returns the audit ID, preselection mask, terminal ID and audit
session ID of the specified process in the
auditpinfo_addr structure
pointed to by
data.
A_SETPMASK Set the preselection mask of the specified process. The
data argument
points to the
auditpinfo structure containing the process ID and the
preselection mask. The other fields of the structure are ignored and
should be set to
NULL.
A_SETUMASK Set the preselection mask for all processes with the specified audit
ID. The
data argument points to the
auditinfo structure containing
the audit ID and the preselection mask. The other fields of the
structure are ignored and should be set to
NULL.
A_SETSMASK Set the preselection mask for all processes with the specified audit
session ID. The
data argument points to the
auditinfo structure
containing the audit session
ID and the preselection mask. The other
fields of the structure are ignored and should be set to
NULL. A_GETQCTRL Return the kernel audit queue control parameters. These control the
high and low water marks of the number of audit records allowed in
the audit queue. The high water mark is the maximum allowed number of
undelivered audit records. The low water mark determines when threads
blocked on the queue are wakened. Another parameter controls the
size of the data buffer used to write data to the audit trail. There
is also a parameter that specifies a maximum delay before data is
attempted to be written to the audit trail. The audit queue
parameters are returned in the
au_qctrl structure pointed to by
data.
A_SETQCTRL Set the kernel audit queue control parameters as described above in
the
A_GETQCTRL command. The
data argument points to the
au_qctrl structure containing the audit queue control parameters. The default
and maximum values 'A/B' for the audit queue control parameters are:
high water 100/10000 (audit records)
low water 10/1024 (audit records)
output buffer size 1024/1048576 (bytes)
delay 20/20000 (hundredths second)
A_GETCWD Return the current working directory as kept by the audit subsystem.
This is a path anchored on the real root, rather than on the active
root. The
data argument points to a buffer into which the path is
copied. The
length argument is the length of the buffer.
A_GETCAR Return the current active root as kept by the audit subsystem. This
path can be used to anchor an absolute path for a path token
generated by an application. The
data argument points to a buffer
into which the path is copied. The
length argument is the length of
the buffer.
A_GETSTAT Return the system audit statistics in the
audit_stat structure
pointed to by
data.
A_SETSTAT Reset system audit statistics values. The kernel statistics value is
reset if the corresponding field in the statistics structure pointed
to by the
data argument is
CLEAR_VAL. Otherwise, the value is not
changed.
A_GETPOLICY Return the audit policy flags in the integer pointed to by
data.
A_SETPOLICY Set the audit policy flags to the values in the integer pointed to by
data. The following policy flags are recognized:
AUDIT_CNT Do not suspend processes when audit storage is full or
inaccessible. The default action is to suspend processes until
storage becomes available.
AUDIT_AHLT Halt the machine when a non-attributable audit record can not be
delivered. The default action is to count the number of events
that could not be recorded.
AUDIT_ARGV Include in the audit record the argument list for a member of the
exec(2) family of functions. The default action is not to include
this information.
AUDIT_ARGE Include the environment variables for the
execv(2) function in
the audit record. The default action is not to include this
information.
AUDIT_SEQ Add a
sequence token to each audit record. The default action is
not to include it.
AUDIT_TRAIL Append a
trailer token to each audit record. The default action
is not to include it.
AUDIT_GROUP Include the supplementary groups list in audit records. The
default action is not to include it.
AUDIT_PATH Include secondary paths in audit records. Examples of secondary
paths are dynamically loaded shared library modules and the
command shell path for executable scripts. The default action is
to include only the primary path from the system call.
AUDIT_WINDATA_DOWN Include in an audit record any downgraded data moved between
windows. This policy is available only if the system is
configured with Trusted Extensions. By default, this information
is not included.
AUDIT_WINDATA_UP Include in an audit record any upgraded data moved between
windows. This policy is available only if the system is
configured with Trusted Extensions. By default, this information
is not included.
AUDIT_PERZONE Enable auditing for each local zone. If not set, audit records
from all zones are collected in a single log accessible in the
global zone and certain
auditconfig(8) operations are disallowed.
This policy can be set only from the global zone.
AUDIT_ZONENAME Generate a zone ID token with each audit record.
RETURN VALUES
Upon successful completion,
auditon() returns
0. Otherwise, -1 is
returned and
errno is set to indicate the error.
ERRORS
The
auditon() function will fail if:
E2BIG The
length field for the command was too small to hold the
returned value.
EFAULT The copy of data to/from the kernel failed.
EINVAL One of the arguments was illegal, Audit has not been installed,
or the operation is not valid from a local zone.
EPERM The {
PRIV_SYS_AUDIT} privilege is not asserted in the effective
set of the calling process.
Neither the {
PRIV_PROC_AUDIT} nor the {
PRIV_SYS_AUDIT}
privilege is asserted in the effective set of the calling
process and the command is one of
A_GETCAR,
A_GETCLASS,
A_GETCOND,
A_GETCWD,
A_GETPINFO,
A_GETPOLICY.
USAGE
The
auditon() function can be invoked only by processes with appropriate
privileges.
The use of
auditon() to change system audit state is permitted only in
the global zone. From any other zone
auditon() returns -1 with
errno set
to
EPERM. The following
auditon() commands are permitted only in the
global zone:
A_SETCOND,
A_SETCLASS,
A_SETKMASK,
A_SETQCTRL,
A_SETSTAT,
A_SETFSIZE, and
A_SETPOLICY. All other
auditon() commands are valid from
any zone.
ATTRIBUTES
See
attributes(7) for descriptions of the following attributes:
+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|Interface Stability | Committed |
+--------------------+-----------------+
|MT-Level | MT-Safe |
+--------------------+-----------------+
SEE ALSO
audit(2),
exec(2),
audit.log(5),
attributes(7),
privileges(7),
auditconfig(8),
auditd(8)NOTES
The auditon options that modify or display process-based information are
not affected by the "perzone" audit policy. Those that modify system
audit data such as the terminal ID and audit queue parameters are valid
only in the global zone unless the "perzone" policy is set. The "get"
options for system audit data reflect the local zone if "perzone" is set;
otherwise they reflects the settings of the global zone.
March 6, 2017
AUDITON(2)