d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
b8c4cc421e
freebsd-dev/contrib/openbsm/man/auditon.2
Robert Watson bb97b41819 Vendor import of OpenBSM 1.0 alpha 11, with the following change history 
notes since the last import:

OpenBSM 1.0 alpha 11

- Reclassify certain read/write operations as having no class rather than the
  fr/fw class; our default classes audit intent (open) not operations (read,
  write).
- Introduce AUE_SYSCTL_WRITE event so that BSD/Darwin systems can audit reads
  and writes of sysctls as separate events.  Add additional kernel
  environment and jail events for FreeBSD.
- Break AUDIT_TRIGGER_OPEN_NEW into two events, AUDIT_TRIGGER_ROTATE_USER
  (issued by the user audit(8) tool) and AUDIT_TRIGGER_ROTATE_KERNEL (issued
  by the kernel audit implementation) so that they can be distinguished.
- Disable rate limiting of rotate requests; as the kernel doesn't retransmit
  a dropped request, the log file will otherwise grow indefinitely if the
  trigger is dropped.
- Improve auditd debugging output.
- Fix a number of threading related bugs in audit_control file reading
  routines.
- Add APIs au_poltostr() and au_strtopol() to convert between text
  representations of audit_control policy flags and the flags passed to
  auditon(A_SETPOLICY) and retrieved from auditon(A_GETPOLICY).
- Add API getacpol() to return the 'policy:' entry from audit_control, an
  extension to the Solaris file format to allow specification of policy
  persistent flags.
- Update audump to print the audit_control policy field.
- Update auditd to read the audit_control policy field and set the kernel
  policy to match it when configuring/reconfiguring.  Remove the -s and -h
  arguments as these policies are now set via the configuration file.  If a
  policy line is not found in the configuration file, continue with the
  current default of setting AUDIT_CNT.
- Fix bugs in the parsing of large execve(2) arguments and environmental
  variable tokens; increase maximum parsed argument and variable count.
- configure now detects strlcat(), used by policy-related functions.
- Reference token and record sample files added to test tree.

Obtained from:	TrustedBSD Project
2006-09-21 07:07:33 +00:00

292 lines
7.7 KiB
Groff
Raw Blame History

.\"-
.\" Copyright (c) 2005 Robert N. M. Watson
.\" Copyright (c) 2005 Tom Rhodes
.\" Copyright (c) 2005 Wayne J. Salamon
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#8 $
.\"
.Dd April 19, 2005
.Dt AUDITON 2
.Os
.Sh NAME
.Nm auditon
.Nd "Configure system audit parameters"
.Sh SYNOPSIS
.In bsm/audit.h
.Ft int
.Fn auditon "int cmd" "void *data" "u_int length"
.Sh DESCRIPTION
The
.Nm
system call is used to manipulate various audit control operations.
.Ft *data
should point to a structure whose type depends on the command.
.Ft length
specifies the size of the
.Em data
in bytes.
.Ft cmd
may be any of the following:
.Bl -tag -width ".It Dv A_GETPINFO_ADDR"
.It Dv A_SETPOLICY
Set audit policy flags.
.Ft *data
must point to a long value set to one of the audit
policy control values defined in
.Pa audit.h .
Currently, only
.Dv AUDIT_CNT
and
.Dv AUDIT_AHLT
are implemented.
In the
.Dv AUDIT_CNT
case, the action will continue regardless if
an event will not be audited.
In the
.Dv AUDIT_AHLT
case, a
.Xr panic 9
will result if an event will not be written to the
audit log file.
.It Dv A_SETKAUDIT
Return
.Er ENOSYS .
.It Dv A_SETKMASK
Set the kernel preselection masks (success and failure).
.Ft *data
must point to a
.Ft au_mask_t
structure containing the mask values.
These masks are used for non-attributable audit event preselection.
.It Dv A_SETQCTRL
Set kernel audit queue parameters.
.Ft *data
must point to a
.Ft au_qctrl_t
structure containing the
kernel audit queue control settings:
.Va high water ,
.Va low water ,
.Va output buffer size ,
.Va percent min free disk space ,
and
.Em delay
(not currently used).
.It Dv A_SETSTAT
Return
.Er ENOSYS .
.It Dv A_SETUMASK
Return
.Er ENOSYS .
.It Dv A_SETSMASK
Return
.Er ENOSYS .
.It Dv A_SETCOND
Set the current auditing condition.
.Ft *data
must point to a long value containing the new
audit condition, one of
.Dv AUC_AUDITING ,
.Dv AUC_NOAUDIT ,
or
.Dv AUC_DISABLED .
.It Dv A_SETCLASS
Set the event class preselection mask for an audit event.
.Ft *data
must point to a
.Ft au_evclass_map_t
structure containing the audit event and mask.
.It Dv A_SETPMASK
Set the preselection masks for a process.
.Ft *data
must point to a
.Ft auditpinfo_t
structure that contains the given process's audit
preselection masks for both success and failure.
.It Dv A_SETFSIZE
Set the maximum size of the audit log file.
.Ft *data
must point to a
.Ft au_fstat_t
structure with the
.Ft af_filesz
field set to the maximum audit log file size. A value of 0
indicates no limit to the size.
.It Dv A_SETKAUDIT
Return
.Er ENOSYS .
.It Dv A_GETCLASS
Return the event to class mapping for the designated audit event.
.Ft *data
must point to a
.Ft au_evclass_map_t
structure.
.It Dv A_GETKAUDIT
Return
.Er ENOSYS .
.It Dv A_GETPINFO
Return the audit settings for a process.
.Ft *data
must point to a
.Ft auditpinfo_t
structure which will be set to contain
the audit ID, preselection mask, terminal ID, and audit session
ID of the given process.
.It Dv A_GETPINFO_ADDR
Return
.Er ENOSYS .
.It Dv A_GETKMASK
Return the current kernel preselection masks.
.Ft *data
must point to a
.Ft au_mask_t
structure which will be set to
the current kernel preselection masks for non-attributable events.
.It Dv A_GETPOLICY
Return the current audit policy setting.
.Ft *data
must point to a long value which will be set to
one of the current audit policy flags.
Currently, only
.Dv AUDIT_CNT
and
.Dv AUDIT_AHLT
are implemented.
.It Dv A_GETQCTRL
Return the current kernel audit queue control parameters.
.Ft *data
must point to a
.Ft au_qctrl_t
structure which will be set to the current
kernel audit queue control parameters.
.It Dv A_GETFSIZE
Returns the maximum size of the audit log file.
.Ft *data
must point to a
.Ft au_fstat_t
structure. The
.Ft af_filesz
field will be set to the maximum audit log file size.
A value of 0 indicates no limit to the size.
The
.Ft af_currsz
will be set to the current audit log file size.
.It Dv A_GETCWD
.\" [COMMENTED OUT]: Valid description, not yet implemented.
.\" Return the current working directory as stored in the audit subsystem.
Return
.Er ENOSYS .
.It Dv A_GETCAR
.\" [COMMENTED OUT]: Valid description, not yet implemented.
.\"Stores and returns the current active root as stored in the audit
.\"subsystem.
Return
.Er ENOSYS .
.It Dv A_GETSTAT
.\" [COMMENTED OUT]: Valid description, not yet implemented.
.\"Return the statistics stored in the audit system.
Return
.Er ENOSYS .
.It Dv A_GETCOND
Return the current auditing condition.
.Ft *data
must point to a long value which will be set to
the current audit condition, either
.Dv AUC_AUDITING
or
.Dv AUC_NOAUDIT .
.It Dv A_SENDTRIGGER
Send a trigger to the audit daemon.
.Fr *data
must point to a long value set to one of the acceptable
trigger values:
.Dv AUDIT_TRIGGER_LOW_SPACE
(low disk space where the audit log resides),
.Dv AUDIT_TRIGGER_OPEN_NEW
(open a new audit log file),
.Dv AUDIT_TRIGGER_READ_FILE
(read the
.Pa audit_control
file),
.Dv AUDIT_TRIGGER_CLOSE_AND_DIE
(close the current log file and exit),
or
.Dv AUDIT_TRIGGER_NO_SPACE
(no disk space left for audit log file).
.El
.Sh RETURN VALUES
.Rv -std
.Sh ERRORS
The
.Fn auditon
function will fail if:
.Bl -tag -width Er
.It Bq Er ENOSYS
Returned by options not yet implemented.
.It Bq Er EFAULT
A failure occurred while data transferred to or from
the kernel failed.
.It Bq Er EINVAL
Illegal argument was passed by a system call.
.It Bq Er EPERM
The process does not have sufficient permission to complete
the operation.
.El
.Pp
The
.Dv A_SENDTRIGGER
command is specific to the
.Fx
and Mac OS X implementations, and is not present in Solaris.
.Sh SEE ALSO
.Xr audit 2 ,
.Xr auditctl 2 ,
.Xr getauid 2 ,
.Xr setauid 2 ,
.Xr getaudit 2 ,
.Xr setaudit 2 ,
.Xr getaudit_addr 2 ,
.Xr setaudit_addr 2 ,
.Xr libbsm 3
.Sh AUTHORS
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Pp
This manual page was written by
.An Tom Rhodes Aq trhodes@FreeBSD.org ,
.An Robert Watson Aq rwatson@FreeBSD.org ,
and
.An Wayne Salamon Aq wsalamon@FreeBSD.org .
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc. in 2003.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
Reference in New Issue View Git Blame Copy Permalink