23bf6e2091
- Man page formatting, cross reference, mlinks, and accuracy improvements. - auditd and tools now compile and run on FreeBSD/arm. - auditd will now fchown() the trail file to the audit review group, if defined at compile-time. - Added AUE_SYSARCH for FreeBSD. - Definition of AUE_SETFSGID fixed for Linux. Many thanks to: brueffer, cognet Obtained from: TrustedBSD Project
292 lines
7.7 KiB
Groff
292 lines
7.7 KiB
Groff
.\"-
|
|
.\" Copyright (c) 2005 Robert N. M. Watson
|
|
.\" Copyright (c) 2005 Tom Rhodes
|
|
.\" Copyright (c) 2005 Wayne J. Salamon
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#7 $
|
|
.\"
|
|
.Dd April 19, 2005
|
|
.Dt AUDITON 2
|
|
.Os
|
|
.Sh NAME
|
|
.Nm auditon
|
|
.Nd "Configure system audit parameters"
|
|
.Sh SYNOPSIS
|
|
.In bsm/audit.h
|
|
.Ft int
|
|
.Fn auditon "int cmd" "void *data" "u_int length"
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm
|
|
system call is used to manipulate various audit control operations.
|
|
.Ft *data
|
|
should point to a structure whose type depends on the command.
|
|
.Ft length
|
|
specifies the size of the
|
|
.Em data
|
|
in bytes.
|
|
.Ft cmd
|
|
may be any of the following:
|
|
.Bl -tag -width ".It Dv A_GETPINFO_ADDR"
|
|
.It Dv A_SETPOLICY
|
|
Set audit policy flags.
|
|
.Ft *data
|
|
must point to a long value set to one of the audit
|
|
policy control values defined in
|
|
.Pa audit.h .
|
|
Currently, only
|
|
.Dv AUDIT_CNT
|
|
and
|
|
.Dv AUDIT_AHLT
|
|
are implemented.
|
|
In the
|
|
.Dv AUDIT_CNT
|
|
case, the action will continue regardless if
|
|
an event will not be audited.
|
|
In the
|
|
.Dv AUDIT_AHLT
|
|
case, a
|
|
.Xr panic 9
|
|
will result if an event will not be written to the
|
|
audit log file.
|
|
.It Dv A_SETKAUDIT
|
|
Return
|
|
.Er ENOSYS .
|
|
.It Dv A_SETKMASK
|
|
Set the kernel preselection masks (success and failure).
|
|
.Ft *data
|
|
must point to a
|
|
.Ft au_mask_t
|
|
structure containing the mask values.
|
|
These masks are used for non-attributable audit event preselection.
|
|
.It Dv A_SETQCTRL
|
|
Set kernel audit queue parameters.
|
|
.Ft *data
|
|
must point to a
|
|
.Ft au_qctrl_t
|
|
structure containing the
|
|
kernel audit queue control settings:
|
|
.Va high water ,
|
|
.Va low water ,
|
|
.Va output buffer size ,
|
|
.Va percent min free disk space ,
|
|
and
|
|
.Em delay
|
|
(not currently used).
|
|
.It Dv A_SETSTAT
|
|
Return
|
|
.Er ENOSYS .
|
|
.It Dv A_SETUMASK
|
|
Return
|
|
.Er ENOSYS .
|
|
.It Dv A_SETSMASK
|
|
Return
|
|
.Er ENOSYS .
|
|
.It Dv A_SETCOND
|
|
Set the current auditing condition.
|
|
.Ft *data
|
|
must point to a long value containing the new
|
|
audit condition, one of
|
|
.Dv AUC_AUDITING ,
|
|
.Dv AUC_NOAUDIT ,
|
|
or
|
|
.Dv AUC_DISABLED .
|
|
.It Dv A_SETCLASS
|
|
Set the event class preselection mask for an audit event.
|
|
.Ft *data
|
|
must point to a
|
|
.Ft au_evclass_map_t
|
|
structure containing the audit event and mask.
|
|
.It Dv A_SETPMASK
|
|
Set the preselection masks for a process.
|
|
.Ft *data
|
|
must point to a
|
|
.Ft auditpinfo_t
|
|
structure that contains the given process's audit
|
|
preselection masks for both success and failure.
|
|
.It Dv A_SETFSIZE
|
|
Set the maximum size of the audit log file.
|
|
.Ft *data
|
|
must point to a
|
|
.Ft au_fstat_t
|
|
structure with the
|
|
.Ft af_filesz
|
|
field set to the maximum audit log file size. A value of 0
|
|
indicates no limit to the size.
|
|
.It Dv A_SETKAUDIT
|
|
Return
|
|
.Er ENOSYS .
|
|
.It Dv A_GETCLASS
|
|
Return the event to class mapping for the designated audit event.
|
|
.Ft *data
|
|
must point to a
|
|
.Ft au_evclass_map_t
|
|
structure.
|
|
.It Dv A_GETKAUDIT
|
|
Return
|
|
.Er ENOSYS .
|
|
.It Dv A_GETPINFO
|
|
Return the audit settings for a process.
|
|
.Ft *data
|
|
must point to a
|
|
.Ft auditpinfo_t
|
|
structure which will be set to contain
|
|
the audit ID, preselection mask, terminal ID, and audit session
|
|
ID of the given process.
|
|
.It Dv A_GETPINFO_ADDR
|
|
Return
|
|
.Er ENOSYS .
|
|
.It Dv A_GETKMASK
|
|
Return the current kernel preselection masks.
|
|
.Ft *data
|
|
must point to a
|
|
.Ft au_mask_t
|
|
structure which will be set to
|
|
the current kernel preselection masks for non-attributable events.
|
|
.It Dv A_GETPOLICY
|
|
Return the current audit policy setting.
|
|
.Ft *data
|
|
must point to a long value which will be set to
|
|
one of the current audit policy flags.
|
|
Currently, only
|
|
.Dv AUDIT_CNT
|
|
and
|
|
.Dv AUDIT_AHLT
|
|
are implemented.
|
|
.It Dv A_GETQCTRL
|
|
Return the current kernel audit queue control parameters.
|
|
.Ft *data
|
|
must point to a
|
|
.Ft au_qctrl_t
|
|
structure which will be set to the current
|
|
kernel audit queue control parameters.
|
|
.It Dv A_GETFSIZE
|
|
Returns the maximum size of the audit log file.
|
|
.Ft *data
|
|
must point to a
|
|
.Ft au_fstat_t
|
|
structure. The
|
|
.Ft af_filesz
|
|
field will be set to the maximum audit log file size.
|
|
A value of 0 indicates no limit to the size.
|
|
The
|
|
.Ft af_filesz
|
|
will be set to the current audit log file size.
|
|
.It Dv A_GETCWD
|
|
.\" [COMMENTED OUT]: Valid description, not yet implemented.
|
|
.\" Return the current working directory as stored in the audit subsystem.
|
|
Return
|
|
.Er ENOSYS .
|
|
.It Dv A_GETCAR
|
|
.\" [COMMENTED OUT]: Valid description, not yet implemented.
|
|
.\"Stores and returns the current active root as stored in the audit
|
|
.\"subsystem.
|
|
Return
|
|
.Er ENOSYS .
|
|
.It Dv A_GETSTAT
|
|
.\" [COMMENTED OUT]: Valid description, not yet implemented.
|
|
.\"Return the statistics stored in the audit system.
|
|
Return
|
|
.Er ENOSYS .
|
|
.It Dv A_GETCOND
|
|
Return the current auditing condition.
|
|
.Ft *data
|
|
must point to a long value which will be set to
|
|
the current audit condition, either
|
|
.Dv AUC_AUDITING
|
|
or
|
|
.Dv AUC_NOAUDIT .
|
|
.It Dv A_SENDTRIGGER
|
|
Send a trigger to the audit daemon.
|
|
.Fr *data
|
|
must point to a long value set to one of the acceptable
|
|
trigger values:
|
|
.Dv AUDIT_TRIGGER_LOW_SPACE
|
|
(low disk space where the audit log resides),
|
|
.Dv AUDIT_TRIGGER_OPEN_NEW
|
|
(open a new audit log file),
|
|
.Dv AUDIT_TRIGGER_READ_FILE
|
|
(read the
|
|
.Pa audit_control
|
|
file),
|
|
.Dv AUDIT_TRIGGER_CLOSE_AND_DIE
|
|
(close the current log file and exit),
|
|
or
|
|
.Dv AUDIT_TRIGGER_NO_SPACE
|
|
(no disk space left for audit log file).
|
|
.El
|
|
.Sh RETURN VALUES
|
|
.Rv -std
|
|
.Sh ERRORS
|
|
The
|
|
.Fn auditon
|
|
function will fail if:
|
|
.Bl -tag -width Er
|
|
.It Bq Er ENOSYS
|
|
Returned by options not yet implemented.
|
|
.It Bq Er EFAULT
|
|
A failure occurred while data transferred to or from
|
|
the kernel failed.
|
|
.It Bq Er EINVAL
|
|
Illegal argument was passed by a system call.
|
|
.It Bq Er EPERM
|
|
The process does not have sufficient permission to complete
|
|
the operation.
|
|
.El
|
|
.Pp
|
|
The
|
|
.Dv A_SENDTRIGGER
|
|
command is specific to the
|
|
.Fx
|
|
and Mac OS X implementations, and is not present in Solaris.
|
|
.Sh SEE ALSO
|
|
.Xr audit 2 ,
|
|
.Xr auditctl 2 ,
|
|
.Xr getauid 2 ,
|
|
.Xr setauid 2 ,
|
|
.Xr getaudit 2 ,
|
|
.Xr setaudit 2 ,
|
|
.Xr getaudit_addr 2 ,
|
|
.Xr setaudit_addr 2 ,
|
|
.Xr libbsm 3
|
|
.Sh AUTHORS
|
|
This software was created by McAfee Research, the security research division
|
|
of McAfee, Inc., under contract to Apple Computer Inc.
|
|
Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
|
|
.Pp
|
|
The Basic Security Module (BSM) interface to audit records and audit event
|
|
stream format were defined by Sun Microsystems.
|
|
.Pp
|
|
This manual page was written by
|
|
.An Tom Rhodes Aq trhodes@FreeBSD.org ,
|
|
.An Robert Watson Aq rwatson@FreeBSD.org ,
|
|
and
|
|
.An Wayne Salamon Aq wsalamon@FreeBSD.org .
|
|
.Sh HISTORY
|
|
The OpenBSM implementation was created by McAfee Research, the security
|
|
division of McAfee Inc., under contract to Apple Computer Inc. in 2003.
|
|
It was subsequently adopted by the TrustedBSD Project as the foundation for
|
|
the OpenBSM distribution.
|