AUDITON(2) FreeBSD System Calls Manual AUDITON(2)
NAME
auditon -- configure system audit parameters
SYNOPSIS
#include <bsm/audit.h>
int
auditon(int cmd, void *data, u_int length);
DESCRIPTION
The auditon() system call is used to manipulate various audit control
operations. The data argument should point to a structure whose type
depends on the command. The length argument specifies the size of *data
in bytes. The cmd argument may be any of the following:
A_SETPOLICY Set audit policy flags. The data argument must point to
a long value set to one of the audit policy control val-
ues defined in <bsm/audit.h>. Currently, only AUDIT_CNT
and AUDIT_AHLT are implemented. In the AUDIT_CNT case,
the action will continue regardless if an event will not
be audited. In the AUDIT_AHLT case, a panic(9) will
result if an event will not be written to the audit log
file.
A_SETKAUDIT Return ENOSYS.
A_SETKMASK Set the kernel preselection masks (success and failure).
The data argument must point to a au_mask_t structure
containing the mask values. These masks are used for
non-attributable audit event preselection.
A_SETQCTRL Set kernel audit queue parameters. The data argument
must point to a au_qctrl_t structure containing the ker-
nel audit queue control settings: ``high water'', ``low
water'', ``output buffer size'', ``percent min free disk
space'', and ``delay'' (not currently used).
A_SETSTAT Return ENOSYS.
A_SETUMASK Return ENOSYS.
A_SETSMASK Return ENOSYS.
A_SETCOND Set the current auditing condition. The data argument
must point to a long value containing the new audit con-
dition, one of AUC_AUDITING, AUC_NOAUDIT, or
AUC_DISABLED.
A_SETCLASS Set the event class preselection mask for an audit
event. The data argument must point to a
au_evclass_map_t structure containing the audit event
and mask.
A_SETPMASK Set the preselection masks for a process. The data
argument must point to a auditpinfo_t structure that
contains the given process's audit preselection masks
for both success and failure.
A_SETFSIZE Set the maximum size of the audit log file. The data
argument must point to a au_fstat_t structure with the
af_filesz field set to the maximum audit log file size.
A value of 0 indicates no limit to the size.
A_SETKAUDIT Return ENOSYS.
A_GETCLASS Return the event to class mapping for the designated
audit event. The data argument must point to a
au_evclass_map_t structure.
A_GETKAUDIT Return ENOSYS.
A_GETPINFO Return the audit settings for a process. The data argu-
ment must point to a auditpinfo_t structure which will
be set to contain the audit ID, preselection mask, ter-
minal ID, and audit session ID of the given process.
A_GETPINFO_ADDR Return ENOSYS.
A_GETKMASK Return the current kernel preselection masks. The data
argument must point to a au_mask_t structure which will
be set to the current kernel preselection masks for non-
attributable events.
A_GETPOLICY Return the current audit policy setting. The data argu-
ment must point to a long value which will be set to one
of the current audit policy flags. Currently, only
AUDIT_CNT and AUDIT_AHLT are implemented.
A_GETQCTRL Return the current kernel audit queue control parame-
ters. The data argument must point to a au_qctrl_t
structure which will be set to the current kernel audit
queue control parameters.
A_GETFSIZE Returns the maximum size of the audit log file. The
data argument must point to a au_fstat_t structure. The
af_filesz field will be set to the maximum audit log
file size. A value of 0 indicates no limit to the size.
The af_currsz field will be set to the current audit log
file size.
A_GETCWD Return ENOSYS.
A_GETCAR Return ENOSYS.
A_GETSTAT Return ENOSYS.
A_GETCOND Return the current auditing condition. The data argu-
ment must point to a long value which will be set to the
current audit condition, either AUC_AUDITING or
AUC_NOAUDIT.
A_SENDTRIGGER Send a trigger to the audit daemon. The data argument
must point to a long value set to one of the acceptable
trigger values: AUDIT_TRIGGER_LOW_SPACE (low disk space
where the audit log resides), AUDIT_TRIGGER_OPEN_NEW
(open a new audit log file), AUDIT_TRIGGER_READ_FILE
(read the audit_control file),
AUDIT_TRIGGER_CLOSE_AND_DIE (close the current log file
and exit), or AUDIT_TRIGGER_NO_SPACE (no disk space left
for audit log file).
RETURN VALUES
Upon successful completion, the value 0 is returned; otherwise the
value -1 is returned and the global variable errno is set to indicate the
error.
ERRORS
The auditon() function will fail if:
[ENOSYS] Returned by options not yet implemented.
[EFAULT] A failure occurred while data transferred to or from
the kernel failed.
[EINVAL] Illegal argument was passed by a system call.
[EPERM] The process does not have sufficient permission to
complete the operation.
The A_SENDTRIGGER command is specific to the FreeBSD and Mac OS X imple-
mentations, and is not present in Solaris.
SEE ALSO
audit(2), auditctl(2), getaudit(2), getaudit_addr(2), getauid(2),
setaudit(2), setaudit_addr(2), setauid(2), libbsm(3)
HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation
for the OpenBSM distribution.
AUTHORS
This software was created by McAfee Research, the security research divi-
sion of McAfee, Inc., under contract to Apple Computer Inc. Additional
authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
The Basic Security Module (BSM) interface to audit records and audit
event stream format were defined by Sun Microsystems.
This manual page was written by Tom Rhodes <trhodes@FreeBSD.org>, Robert
Watson , and Wayne Salamon <wsalamon@FreeBSD.org>.
FreeBSD 7.2 April 19, 2005 FreeBSD 7.2
NAME - SYNOPSIS - DESCRIPTION - RETURN VALUES - ERRORS - SEE ALSO -
HISTORY - AUTHORS -
|