AUDITCONFIG(8) Maintenance Commands and Procedures AUDITCONFIG(8)
NAME
auditconfig - configure auditing
SYNOPSIS
auditconfig option...
DESCRIPTION
auditconfig provides a command line interface to get and set kernel audit
parameters.
The setting of the
perzone policy determines the scope of the audit
setting controlled by
auditconfig. If
perzone is set, then the values
reflect the local zone except as noted. Otherwise, the settings are for
the entire system. Any restriction based on the
perzone setting is noted
for each option to which it applies.
A non-global zone administrator can set all audit policy options except
perzone and
ahlt.
perzone and
ahlt apply only to the global zone; setting
these policies requires the privileges of a global zone administrator.
perzone and
ahlt are described under the
-setpolicy option, below.
OPTIONS
-aconf Set the non-attributable audit mask to the value set using the
-setnaflags option. For example:
# auditconfig -aconf
Configured non-attributable event mask.
-audit event sorf retval string This command constructs an audit record for audit event
event using
the process's audit characteristics containing a text token
string.
The return token is constructed from the
sorf (success/failure flag)
and the
retval (return value). The event is type
char*, the
sorf is
0/1 for success/failure,
retval is an errno value,
string is type
*char. This command is useful for constructing an audit record with a
shell script. An example of this option:
# auditconfig -audit AUE_ftpd 0 0 "test string"
#
audit record from audit trail:
header,76,2,ftp access,,Fri Dec 08 08:44:02 2000, + 669 msec
subject,abc,root,other,root,other,104449,102336,235 197121 elbow
text,test string
return,success,0
-chkaconf Checks that the current non-attributable event flags set in the
kernel matches the configuration. If the runtime class mask of a
kernel audit event does not match the configured class mask, a
mismatch is reported.
-chkconf Check the configuration of kernel audit event to class mappings. If
the runtime class mask of a kernel audit event does not match the
configured class mask, a mismatch is reported.
-conf Configure kernel audit event to class mappings. Runtime class
mappings are changed to match those in the audit event to class
database file.
-getasid Prints the audit session ID of the current process. For example:
# auditconfig -getasid
audit session id = 102336
-getaudit Returns the audit characteristics of the current process.
# auditconfig -getaudit
audit id =
abc(666) process preselection mask = lo(0x1000,0x1000)
terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77)
audit session id = 102336
-getauid Prints the audit ID of the current process. For example:
# auditconfig -getauid
audit id =
abc(666) -getcar Prints current active root location (anchored from root [or local
zone root] at system boot). For example:
# auditconfig -getcar
current active root = /
-getclass event Display the preselection mask associated with the specified kernel
audit event.
event is the kernel event number or event name.
-getcond Display the kernel audit condition. The condition displayed is the
literal string
auditing meaning auditing is enabled and turned on
(the kernel audit module is constructing and queuing audit records);
noaudit, meaning auditing is enabled but turned off (the kernel audit
module is not constructing and queuing audit records); or
nospace,
meaning there is no space for saving audit records. See
auditon(2) and
auditd(8) for further information.
-getcwd Prints current working directory (anchored from zone root at system
boot). For example:
# cd /usr/tmp
# auditconfig -getcwd
current working directory = /var/tmp
-getestate event For the specified event (string or event number), print out classes
event has been assigned. For example:
# auditconfig -getestate 20
audit class mask for event
AUE_REBOOT(20) = 0x800
# auditconfig -getestate AUE_RENAME
audit class mask for event
AUE_RENAME(42) = 0x30
-getflags Display the current active and configured user default audit flags.
For example:
# auditconfig -getflags
active user default audit flags = no(0x0,0x0)
configured user default audit flags = ex,lo(0x40001000,0x40001000)
-getkaudit Get audit characteristics of the current zone. For example:
# auditconfig -getkaudit
audit id = unknown(-2)
process preselection mask = lo,na(0x1400,0x1400)
terminal id (maj,min,host) = 0,0,(0.0.0.0)
audit session id = 0
If the audit policy
perzone is not set, the terminal id is that of
the global zone. Otherwise, it is the terminal id of the local zone.
-getkmask Get non-attributable pre-selection mask for the current zone. For
example:
# auditconfig -getkmask
audit flags for non-attributable events = lo,na(0x1400,0x1400)
If the audit policy
perzone is not set, the kernel mask is that of
the global zone. Otherwise, it is that of the local zone.
-getnaflags Display the current active and configured non-attributable audit
flags. For example:
# auditconfig -getnaflags
active non-attributable audit flags = no(0x0,0x0)
configured non-attributable audit flags = lo(0x1000,0x1000)
-getpinfo pid Display the audit ID, preselection mask, terminal ID, and audit
session ID for the specified process.
-getplugin [
plugin]
Display the currently installed plugins and their attributes. If
plugin is specified,
-getplugin only shows information for that
plugin. For example:
# auditconfig -getplugin
Plugin: audit_binfile (active)
Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=0;
Plugin: audit_syslog (inactive)
Attributes: p_flags=;
Plugin: audit_remote (inactive)
Attributes: p_hosts=;p_retries=3;p_timeout=5;
-getpolicy Display the kernel audit policy. The
ahlt and
perzone policies
reflect the settings from the global zone. If
perzone is set, all
other policies reflect the local zone's settings. If
perzone is not
set, the policies are machine-wide.
-getqbufsz Get audit queue write buffer size. For example:
# auditconfig -getqbufsz
audit queue buffer size (bytes) = 1024
-getqctrl Get audit queue write buffer size, audit queue
hiwater mark, audit
queue
lowater mark, audit queue
prod interval (ticks).
# auditconfig -getqctrl
audit queue hiwater mark (records) = 100
audit queue lowater mark (records) = 10
audit queue buffer size (bytes) = 1024
audit queue delay (ticks) = 20
-getqdelay Get interval at which audit queue is prodded to start output. For
example:
# auditconfig -getqdelay
audit queue delay (ticks) = 20
-getqhiwater Get high water point in undelivered audit records when audit
generation will block. For example:
# auditconfig -getqhiwater
audit queue hiwater mark (records) = 100
-getqlowater Get low water point in undelivered audit records where blocked
processes will resume. For example:
# auditconfig -getqlowater
audit queue lowater mark (records) = 10
-getstat Print current audit statistics information. For example:
# auditconfig -getstat
gen nona kern aud ctl enq wrtn wblk rblk drop tot mem
910 1 725 184 0 910 910 0 231 0 88 48
See
auditstat(8) for a description of the headings in
-getstat output.
-gettid Print audit terminal ID for current process. For example:
# auditconfig -gettid
terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77)
-lsevent Display the currently configured (runtime) kernel and user level
audit event information.
-lspolicy Display the kernel audit policies with a description of each policy.
-setasid session-ID [
cmd]
Execute shell or
cmd with specified
session-ID. For example:
# auditconfig -setasid 2000 /bin/ksh
#
# auditconfig -getpinfo 104485
audit id =
abc(666) process preselection mask = lo(0x1000,0x1000)
terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77)
audit session id = 2000
-setaudit audit-ID preselect_flags term-ID session-ID [
cmd]
Execute shell or
cmd with the specified audit characteristics.
-setauid audit-ID [
cmd]
Execute shell or
cmd with the specified
audit-ID.
-setclass event audit_flag[
,audit_flag ...]
Map the kernel event
event to the classes specified by
audit_flags.
event is an event number or name. An
audit_flag is a two character
string representing an audit class. If
perzone is not set, this
option is valid only in the global zone.
-setflags audit_flags Sets the user default audit flags. For example, to set execute and
login auditing for all users:
# auditconfig -setflags ex,lo
user default audit flags = ex,lo(0x40001000,0x40001000)
-setkaudit IP-address_type IP_address Set IP address of machine to specified values.
IP-address_type is
ipv6 or
ipv4.
If
perzone is not set, this option is valid only in the global zone.
-setkmask audit_flags Set non-attributes selection flags of machine.
If
perzone is not set, this option is valid only in the global zone.
-setnaflags audit_flags Sets the non-attributable audit flags. For example:
# auditconfig -setnaflags lo
non-attributable audit flags = lo(0x1000,0x1000)
-setplugin name active|
inactive [
attributes [
qsize]]
Configures a plugin's attributes. For example:
# auditconfig -setplugin audit_syslog active
-setpmask pid flags Set the preselection mask of the specified process.
If
perzone is not set, this option is valid only in the global zone.
-setpolicy [
+|
-]
policy_flag[
,policy_flag ...]
Set the kernel audit policy. A policy
policy_flag is literal strings
that denotes an audit policy. A prefix of
+ adds the policies
specified to the current audit policies. A prefix of
- removes the
policies specified from the current audit policies. No policies can
be set from a local zone unless the
perzone policy is first set from
the global zone. The following are the valid policy flag strings
(
auditconfig -lspolicy also lists the current valid audit policy flag
strings):
all Include all policies that apply to the current zone.
ahlt Panic is called and the system dumps core if an
asynchronous audit event occurs that cannot be
delivered because the audit queue has reached the
high-water mark or because there are insufficient
resources to construct an audit record. By default,
records are dropped and a count is kept of the number
of dropped records.
arge Include the
execv(2) system call environment
arguments to the audit record. This information is
not included by default.
argv Include the
execv(2) system call parameter arguments
to the audit record. This information is not
included by default.
cnt Do not suspend processes when audit resources are
exhausted. Instead, drop audit records and keep a
count of the number of records dropped. By default,
process are suspended until audit resources become
available.
group Include the supplementary group token in audit
records. By default, the group token is not included.
none Include no policies. If used in other than the global
zone, the
ahlt and
perzone policies are not changed.
path Add secondary path tokens to audit record. These are
typically the pathnames of dynamically linked shared
libraries or command interpreters for shell scripts.
By default, they are not included.
perzone Maintain separate configuration, queues, and logs for
each zone and execute a separate version of
auditd(8) for each zone.
public Audit public files. By default, read-type operations
are not audited for certain files which meet
public characteristics: owned by root, readable by all, and
not writable by all.
trail Include the trailer token in every audit record. By
default, the trailer token is not included.
seq Include the sequence token as part of every audit
record. By default, the sequence token is not
included. The sequence token attaches a sequence
number to every audit record.
windata_down Include in an audit record any downgraded data moved
between windows. This policy is available only if the
system is configured with Trusted Extensions. By
default, this information is not included.
windata_up Include in an audit record any upgraded data moved
between windows. This policy is available only if the
system is configured with Trusted Extensions. By
default, this information is not included.
zonename Include the
zonename token as part of every audit
record. By default, the
zonename token is not
included. The
zonename token gives the name of the
zone from which the audit record was generated.
-setqbufsz buffer_size Set the audit queue write buffer size (bytes).
-setqctrl hiwater lowater bufsz interval Set the audit queue write buffer size (bytes), hiwater audit record
count, lowater audit record count, and wakeup interval (ticks). Valid
within a local zone only if
perzone is set.
-setqdelay interval Set the audit queue wakeup interval (ticks). This determines the
interval at which the kernel pokes the audit queue, to write audit
records to the audit trail. Valid within a local zone only if
perzone is set.
-setqhiwater hiwater Set the number of undelivered audit records in the audit queue at
which audit record generation blocks. Valid within a local zone only
if
perzone is set.
-setqlowater lowater Set the number of undelivered audit records in the audit queue at
which blocked auditing processes unblock. Valid within a local zone
only if
perzone is set.
-setsmask asid flags Set the preselection mask of all processes with the specified audit
session ID. Valid within a local zone only if
perzone is set.
-setstat Reset audit statistics counters. Valid within a local zone only if
perzone is set.
-setumask auid flags Set the preselection mask of all processes with the specified audit
ID. Valid within a local zone only if
perzone is set.
EXAMPLES
Example 1: Using auditconfig
The following is an example of an
auditconfig program:
#
# map kernel audit event number 10 to the "fr" audit class
#
% auditconfig -setclass 10 fr
#
# turn on inclusion of exec arguments in exec audit records
#
% auditconfig -setpolicy +argv
EXIT STATUS
0 Successful completion.
1 An error occurred.
FILES
/etc/security/audit_event Stores event definitions used in the audit
system.
/etc/security/audit_class Stores class definitions used in the audit
system.
ATTRIBUTES
See
attributes(7) for descriptions of the following attributes:
+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|Interface Stability | Committed |
+--------------------+-----------------+
SEE ALSO
auditon(2),
execv(2),
audit_class(5),
audit_event(5),
attributes(7),
audit_binfile(7),
audit_remote(7),
audit_syslog(7),
audit(8),
auditd(8),
auditstat(8),
praudit(8)NOTES
If the
audit_remote or
audit_syslog plugins are active, the behavior of
the system with respect to the
-setpolicy +cnt and the
-setqhiwater options is modified slightly. If
-setpolicy +cnt is set, data will
continue to be sent to the selected plugin, even though output to the
binary audit log is stopped, pending the freeing of disk space. If
-setpolicy -cnt is used, the blocking behavior is as described under
OPTIONS, above. The value set for the queue high water mark is used
within
auditd as the default value for its queue limits unless overridden
by means of the
qsize attribute.
The
auditconfig options that modify or display process-based information
are not affected by the
perzone policy. Those that modify system audit
data such as the terminal id and audit queue parameters are valid only in
the global zone, unless the
perzone policy is set. The display of a
system audit reflects the local zone if
perzone is set. Otherwise, it
reflects the settings of the global zone.
The
-setcond option has been removed. Use
audit(8) to enable or disable
auditing.
The
-getfsize and
-setfsize options have been removed. Use
audit_binfile(7) p_fsize to set the audit file size.
March 6, 2017
AUDITCONFIG(8)