1.\"- 2.\" Copyright (c) 2005 Robert N. M. Watson 3.\" Copyright (c) 2005 Tom Rhodes 4.\" Copyright (c) 2005 Wayne J. Salamon 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#11 $ 29.\" 30.Dd April 19, 2005 31.Dt AUDITON 2 32.Os 33.Sh NAME 34.Nm auditon 35.Nd "configure system audit parameters" 36.Sh SYNOPSIS 37.In bsm/audit.h 38.Ft int 39.Fn auditon "int cmd" "void *data" "u_int length" 40.Sh DESCRIPTION 41The 42.Fn auditon 43system call is used to manipulate various audit control operations. 44The 45.Fa data 46argument 47should point to a structure whose type depends on the command. 48The 49.Fa length 50argument 51specifies the size of 52.Fa *data 53in bytes. 54The 55.Fa cmd 56argument 57may be any of the following: 58.Bl -tag -width ".It Dv A_GETPINFO_ADDR" 59.It Dv A_SETPOLICY 60Set audit policy flags. 61The 62.Fa data 63argument 64must point to a 65.Vt long 66value set to one of the audit 67policy control values defined in 68.In bsm/audit.h . 69Currently, only 70.Dv AUDIT_CNT 71and 72.Dv AUDIT_AHLT 73are implemented. 74In the 75.Dv AUDIT_CNT 76case, the action will continue regardless if 77an event will not be audited. 78In the 79.Dv AUDIT_AHLT 80case, a 81.Xr panic 9 82will result if an event will not be written to the 83audit log file. 84.It Dv A_SETKAUDIT 85Return 86.Er ENOSYS . 87.It Dv A_SETKMASK 88Set the kernel preselection masks (success and failure). 89The 90.Fa data 91argument 92must point to a 93.Vt au_mask_t 94structure containing the mask values. 95These masks are used for non-attributable audit event preselection. 96.It Dv A_SETQCTRL 97Set kernel audit queue parameters. 98The 99.Fa data 100argument 101must point to a 102.Vt au_qctrl_t 103structure containing the 104kernel audit queue control settings: 105.Dq "high water" , 106.Dq "low water" , 107.Dq "output buffer size" , 108.Dq "percent min free disk space" , 109and 110.Dq delay 111(not currently used). 112.It Dv A_SETSTAT 113Return 114.Er ENOSYS . 115.It Dv A_SETUMASK 116Return 117.Er ENOSYS . 118.It Dv A_SETSMASK 119Return 120.Er ENOSYS . 121.It Dv A_SETCOND 122Set the current auditing condition. 123The 124.Fa data 125argument 126must point to a 127.Vt long 128value containing the new 129audit condition, one of 130.Dv AUC_AUDITING , 131.Dv AUC_NOAUDIT , 132or 133.Dv AUC_DISABLED . 134.It Dv A_SETCLASS 135Set the event class preselection mask for an audit event. 136The 137.Fa data 138argument 139must point to a 140.Vt au_evclass_map_t 141structure containing the audit event and mask. 142.It Dv A_SETPMASK 143Set the preselection masks for a process. 144The 145.Fa data 146argument 147must point to a 148.Vt auditpinfo_t 149structure that contains the given process's audit 150preselection masks for both success and failure. 151.It Dv A_SETFSIZE 152Set the maximum size of the audit log file. 153The 154.Fa data 155argument 156must point to a 157.Vt au_fstat_t 158structure with the 159.Va af_filesz 160field set to the maximum audit log file size. 161A value of 0 162indicates no limit to the size. 163.It Dv A_SETKAUDIT 164Return 165.Er ENOSYS . 166.It Dv A_GETCLASS 167Return the event to class mapping for the designated audit event. 168The 169.Fa data 170argument 171must point to a 172.Vt au_evclass_map_t 173structure. 174.It Dv A_GETKAUDIT 175Return 176.Er ENOSYS . 177.It Dv A_GETPINFO 178Return the audit settings for a process. 179The 180.Fa data 181argument 182must point to a 183.Vt auditpinfo_t 184structure which will be set to contain 185the audit ID, preselection mask, terminal ID, and audit session 186ID of the given process. 187.It Dv A_GETPINFO_ADDR 188Return 189.Er ENOSYS . 190.It Dv A_GETKMASK 191Return the current kernel preselection masks. 192The 193.Fa data 194argument 195must point to a 196.Vt au_mask_t 197structure which will be set to 198the current kernel preselection masks for non-attributable events. 199.It Dv A_GETPOLICY 200Return the current audit policy setting. 201The 202.Fa data 203argument 204must point to a 205.Vt long 206value which will be set to 207one of the current audit policy flags. 208Currently, only 209.Dv AUDIT_CNT 210and 211.Dv AUDIT_AHLT 212are implemented. 213.It Dv A_GETQCTRL 214Return the current kernel audit queue control parameters. 215The 216.Fa data 217argument 218must point to a 219.Vt au_qctrl_t 220structure which will be set to the current 221kernel audit queue control parameters. 222.It Dv A_GETFSIZE 223Returns the maximum size of the audit log file. 224The 225.Fa data 226argument 227must point to a 228.Vt au_fstat_t 229structure. 230The 231.Va af_filesz 232field will be set to the maximum audit log file size. 233A value of 0 indicates no limit to the size. 234The 235.Va af_currsz 236field 237will be set to the current audit log file size. 238.It Dv A_GETCWD 239.\" [COMMENTED OUT]: Valid description, not yet implemented. 240.\" Return the current working directory as stored in the audit subsystem. 241Return 242.Er ENOSYS . 243.It Dv A_GETCAR 244.\" [COMMENTED OUT]: Valid description, not yet implemented. 245.\"Stores and returns the current active root as stored in the audit 246.\"subsystem. 247Return 248.Er ENOSYS . 249.It Dv A_GETSTAT 250.\" [COMMENTED OUT]: Valid description, not yet implemented. 251.\"Return the statistics stored in the audit system. 252Return 253.Er ENOSYS . 254.It Dv A_GETCOND 255Return the current auditing condition. 256The 257.Fa data 258argument 259must point to a 260.Vt long 261value which will be set to 262the current audit condition, either 263.Dv AUC_AUDITING 264or 265.Dv AUC_NOAUDIT . 266.It Dv A_SENDTRIGGER 267Send a trigger to the audit daemon. 268The 269.Fa data 270argument 271must point to a 272.Vt long 273value set to one of the acceptable 274trigger values: 275.Dv AUDIT_TRIGGER_LOW_SPACE 276(low disk space where the audit log resides), 277.Dv AUDIT_TRIGGER_OPEN_NEW 278(open a new audit log file), 279.Dv AUDIT_TRIGGER_READ_FILE 280(read the 281.Pa audit_control 282file), 283.Dv AUDIT_TRIGGER_CLOSE_AND_DIE 284(close the current log file and exit), 285or 286.Dv AUDIT_TRIGGER_NO_SPACE 287(no disk space left for audit log file). 288.El 289.Sh RETURN VALUES 290.Rv -std 291.Sh ERRORS 292The 293.Fn auditon 294function will fail if: 295.Bl -tag -width Er 296.It Bq Er ENOSYS 297Returned by options not yet implemented. 298.It Bq Er EFAULT 299A failure occurred while data transferred to or from 300the kernel failed. 301.It Bq Er EINVAL 302Illegal argument was passed by a system call. 303.It Bq Er EPERM 304The process does not have sufficient permission to complete 305the operation. 306.El 307.Pp 308The 309.Dv A_SENDTRIGGER 310command is specific to the 311.Fx 312and Mac OS X implementations, and is not present in Solaris. 313.Sh SEE ALSO 314.Xr audit 2 , 315.Xr auditctl 2 , 316.Xr getaudit 2 , 317.Xr getaudit_addr 2 , 318.Xr getauid 2 , 319.Xr setaudit 2 , 320.Xr setaudit_addr 2 , 321.Xr setauid 2 , 322.Xr libbsm 3 323.Sh HISTORY 324The OpenBSM implementation was created by McAfee Research, the security 325division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. 326It was subsequently adopted by the TrustedBSD Project as the foundation for 327the OpenBSM distribution. 328.Sh AUTHORS 329.An -nosplit 330This software was created by McAfee Research, the security research division 331of McAfee, Inc., under contract to Apple Computer Inc. 332Additional authors include 333.An Wayne Salamon , 334.An Robert Watson , 335and SPARTA Inc. 336.Pp 337The Basic Security Module (BSM) interface to audit records and audit event 338stream format were defined by Sun Microsystems. 339.Pp 340This manual page was written by 341.An Tom Rhodes Aq trhodes@FreeBSD.org , 342.An Robert Watson Aq rwatson@FreeBSD.org , 343and 344.An Wayne Salamon Aq wsalamon@FreeBSD.org . 345