bb97b41819
notes since the last import: OpenBSM 1.0 alpha 11 - Reclassify certain read/write operations as having no class rather than the fr/fw class; our default classes audit intent (open) not operations (read, write). - Introduce AUE_SYSCTL_WRITE event so that BSD/Darwin systems can audit reads and writes of sysctls as separate events. Add additional kernel environment and jail events for FreeBSD. - Break AUDIT_TRIGGER_OPEN_NEW into two events, AUDIT_TRIGGER_ROTATE_USER (issued by the user audit(8) tool) and AUDIT_TRIGGER_ROTATE_KERNEL (issued by the kernel audit implementation) so that they can be distinguished. - Disable rate limiting of rotate requests; as the kernel doesn't retransmit a dropped request, the log file will otherwise grow indefinitely if the trigger is dropped. - Improve auditd debugging output. - Fix a number of threading related bugs in audit_control file reading routines. - Add APIs au_poltostr() and au_strtopol() to convert between text representations of audit_control policy flags and the flags passed to auditon(A_SETPOLICY) and retrieved from auditon(A_GETPOLICY). - Add API getacpol() to return the 'policy:' entry from audit_control, an extension to the Solaris file format to allow specification of policy persistent flags. - Update audump to print the audit_control policy field. - Update auditd to read the audit_control policy field and set the kernel policy to match it when configuring/reconfiguring. Remove the -s and -h arguments as these policies are now set via the configuration file. If a policy line is not found in the configuration file, continue with the current default of setting AUDIT_CNT. - Fix bugs in the parsing of large execve(2) arguments and environmental variable tokens; increase maximum parsed argument and variable count. - configure now detects strlcat(), used by policy-related functions. - Reference token and record sample files added to test tree. Obtained from: TrustedBSD Project
292 lines
7.7 KiB
Groff
292 lines
7.7 KiB
Groff
.\"-
|
|
.\" Copyright (c) 2005 Robert N. M. Watson
|
|
.\" Copyright (c) 2005 Tom Rhodes
|
|
.\" Copyright (c) 2005 Wayne J. Salamon
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#8 $
|
|
.\"
|
|
.Dd April 19, 2005
|
|
.Dt AUDITON 2
|
|
.Os
|
|
.Sh NAME
|
|
.Nm auditon
|
|
.Nd "Configure system audit parameters"
|
|
.Sh SYNOPSIS
|
|
.In bsm/audit.h
|
|
.Ft int
|
|
.Fn auditon "int cmd" "void *data" "u_int length"
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm
|
|
system call is used to manipulate various audit control operations.
|
|
.Ft *data
|
|
should point to a structure whose type depends on the command.
|
|
.Ft length
|
|
specifies the size of the
|
|
.Em data
|
|
in bytes.
|
|
.Ft cmd
|
|
may be any of the following:
|
|
.Bl -tag -width ".It Dv A_GETPINFO_ADDR"
|
|
.It Dv A_SETPOLICY
|
|
Set audit policy flags.
|
|
.Ft *data
|
|
must point to a long value set to one of the audit
|
|
policy control values defined in
|
|
.Pa audit.h .
|
|
Currently, only
|
|
.Dv AUDIT_CNT
|
|
and
|
|
.Dv AUDIT_AHLT
|
|
are implemented.
|
|
In the
|
|
.Dv AUDIT_CNT
|
|
case, the action will continue regardless if
|
|
an event will not be audited.
|
|
In the
|
|
.Dv AUDIT_AHLT
|
|
case, a
|
|
.Xr panic 9
|
|
will result if an event will not be written to the
|
|
audit log file.
|
|
.It Dv A_SETKAUDIT
|
|
Return
|
|
.Er ENOSYS .
|
|
.It Dv A_SETKMASK
|
|
Set the kernel preselection masks (success and failure).
|
|
.Ft *data
|
|
must point to a
|
|
.Ft au_mask_t
|
|
structure containing the mask values.
|
|
These masks are used for non-attributable audit event preselection.
|
|
.It Dv A_SETQCTRL
|
|
Set kernel audit queue parameters.
|
|
.Ft *data
|
|
must point to a
|
|
.Ft au_qctrl_t
|
|
structure containing the
|
|
kernel audit queue control settings:
|
|
.Va high water ,
|
|
.Va low water ,
|
|
.Va output buffer size ,
|
|
.Va percent min free disk space ,
|
|
and
|
|
.Em delay
|
|
(not currently used).
|
|
.It Dv A_SETSTAT
|
|
Return
|
|
.Er ENOSYS .
|
|
.It Dv A_SETUMASK
|
|
Return
|
|
.Er ENOSYS .
|
|
.It Dv A_SETSMASK
|
|
Return
|
|
.Er ENOSYS .
|
|
.It Dv A_SETCOND
|
|
Set the current auditing condition.
|
|
.Ft *data
|
|
must point to a long value containing the new
|
|
audit condition, one of
|
|
.Dv AUC_AUDITING ,
|
|
.Dv AUC_NOAUDIT ,
|
|
or
|
|
.Dv AUC_DISABLED .
|
|
.It Dv A_SETCLASS
|
|
Set the event class preselection mask for an audit event.
|
|
.Ft *data
|
|
must point to a
|
|
.Ft au_evclass_map_t
|
|
structure containing the audit event and mask.
|
|
.It Dv A_SETPMASK
|
|
Set the preselection masks for a process.
|
|
.Ft *data
|
|
must point to a
|
|
.Ft auditpinfo_t
|
|
structure that contains the given process's audit
|
|
preselection masks for both success and failure.
|
|
.It Dv A_SETFSIZE
|
|
Set the maximum size of the audit log file.
|
|
.Ft *data
|
|
must point to a
|
|
.Ft au_fstat_t
|
|
structure with the
|
|
.Ft af_filesz
|
|
field set to the maximum audit log file size. A value of 0
|
|
indicates no limit to the size.
|
|
.It Dv A_SETKAUDIT
|
|
Return
|
|
.Er ENOSYS .
|
|
.It Dv A_GETCLASS
|
|
Return the event to class mapping for the designated audit event.
|
|
.Ft *data
|
|
must point to a
|
|
.Ft au_evclass_map_t
|
|
structure.
|
|
.It Dv A_GETKAUDIT
|
|
Return
|
|
.Er ENOSYS .
|
|
.It Dv A_GETPINFO
|
|
Return the audit settings for a process.
|
|
.Ft *data
|
|
must point to a
|
|
.Ft auditpinfo_t
|
|
structure which will be set to contain
|
|
the audit ID, preselection mask, terminal ID, and audit session
|
|
ID of the given process.
|
|
.It Dv A_GETPINFO_ADDR
|
|
Return
|
|
.Er ENOSYS .
|
|
.It Dv A_GETKMASK
|
|
Return the current kernel preselection masks.
|
|
.Ft *data
|
|
must point to a
|
|
.Ft au_mask_t
|
|
structure which will be set to
|
|
the current kernel preselection masks for non-attributable events.
|
|
.It Dv A_GETPOLICY
|
|
Return the current audit policy setting.
|
|
.Ft *data
|
|
must point to a long value which will be set to
|
|
one of the current audit policy flags.
|
|
Currently, only
|
|
.Dv AUDIT_CNT
|
|
and
|
|
.Dv AUDIT_AHLT
|
|
are implemented.
|
|
.It Dv A_GETQCTRL
|
|
Return the current kernel audit queue control parameters.
|
|
.Ft *data
|
|
must point to a
|
|
.Ft au_qctrl_t
|
|
structure which will be set to the current
|
|
kernel audit queue control parameters.
|
|
.It Dv A_GETFSIZE
|
|
Returns the maximum size of the audit log file.
|
|
.Ft *data
|
|
must point to a
|
|
.Ft au_fstat_t
|
|
structure. The
|
|
.Ft af_filesz
|
|
field will be set to the maximum audit log file size.
|
|
A value of 0 indicates no limit to the size.
|
|
The
|
|
.Ft af_currsz
|
|
will be set to the current audit log file size.
|
|
.It Dv A_GETCWD
|
|
.\" [COMMENTED OUT]: Valid description, not yet implemented.
|
|
.\" Return the current working directory as stored in the audit subsystem.
|
|
Return
|
|
.Er ENOSYS .
|
|
.It Dv A_GETCAR
|
|
.\" [COMMENTED OUT]: Valid description, not yet implemented.
|
|
.\"Stores and returns the current active root as stored in the audit
|
|
.\"subsystem.
|
|
Return
|
|
.Er ENOSYS .
|
|
.It Dv A_GETSTAT
|
|
.\" [COMMENTED OUT]: Valid description, not yet implemented.
|
|
.\"Return the statistics stored in the audit system.
|
|
Return
|
|
.Er ENOSYS .
|
|
.It Dv A_GETCOND
|
|
Return the current auditing condition.
|
|
.Ft *data
|
|
must point to a long value which will be set to
|
|
the current audit condition, either
|
|
.Dv AUC_AUDITING
|
|
or
|
|
.Dv AUC_NOAUDIT .
|
|
.It Dv A_SENDTRIGGER
|
|
Send a trigger to the audit daemon.
|
|
.Fr *data
|
|
must point to a long value set to one of the acceptable
|
|
trigger values:
|
|
.Dv AUDIT_TRIGGER_LOW_SPACE
|
|
(low disk space where the audit log resides),
|
|
.Dv AUDIT_TRIGGER_OPEN_NEW
|
|
(open a new audit log file),
|
|
.Dv AUDIT_TRIGGER_READ_FILE
|
|
(read the
|
|
.Pa audit_control
|
|
file),
|
|
.Dv AUDIT_TRIGGER_CLOSE_AND_DIE
|
|
(close the current log file and exit),
|
|
or
|
|
.Dv AUDIT_TRIGGER_NO_SPACE
|
|
(no disk space left for audit log file).
|
|
.El
|
|
.Sh RETURN VALUES
|
|
.Rv -std
|
|
.Sh ERRORS
|
|
The
|
|
.Fn auditon
|
|
function will fail if:
|
|
.Bl -tag -width Er
|
|
.It Bq Er ENOSYS
|
|
Returned by options not yet implemented.
|
|
.It Bq Er EFAULT
|
|
A failure occurred while data transferred to or from
|
|
the kernel failed.
|
|
.It Bq Er EINVAL
|
|
Illegal argument was passed by a system call.
|
|
.It Bq Er EPERM
|
|
The process does not have sufficient permission to complete
|
|
the operation.
|
|
.El
|
|
.Pp
|
|
The
|
|
.Dv A_SENDTRIGGER
|
|
command is specific to the
|
|
.Fx
|
|
and Mac OS X implementations, and is not present in Solaris.
|
|
.Sh SEE ALSO
|
|
.Xr audit 2 ,
|
|
.Xr auditctl 2 ,
|
|
.Xr getauid 2 ,
|
|
.Xr setauid 2 ,
|
|
.Xr getaudit 2 ,
|
|
.Xr setaudit 2 ,
|
|
.Xr getaudit_addr 2 ,
|
|
.Xr setaudit_addr 2 ,
|
|
.Xr libbsm 3
|
|
.Sh AUTHORS
|
|
This software was created by McAfee Research, the security research division
|
|
of McAfee, Inc., under contract to Apple Computer Inc.
|
|
Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
|
|
.Pp
|
|
The Basic Security Module (BSM) interface to audit records and audit event
|
|
stream format were defined by Sun Microsystems.
|
|
.Pp
|
|
This manual page was written by
|
|
.An Tom Rhodes Aq trhodes@FreeBSD.org ,
|
|
.An Robert Watson Aq rwatson@FreeBSD.org ,
|
|
and
|
|
.An Wayne Salamon Aq wsalamon@FreeBSD.org .
|
|
.Sh HISTORY
|
|
The OpenBSM implementation was created by McAfee Research, the security
|
|
division of McAfee Inc., under contract to Apple Computer Inc. in 2003.
|
|
It was subsequently adopted by the TrustedBSD Project as the foundation for
|
|
the OpenBSM distribution.
|