0ac6f8ebdf
contrib/openbsm (svn merge) and sys/{bsm,security/audit} (manual merge).
- Add OpenBSM contrib tree to include paths for audit(8) and auditd(8).
- Merge support for new tokens, fixes to existing token generation to
audit_bsm_token.c.
- Synchronize bsm includes and definitions.
OpenBSM history for imported revisions below for reference.
MFC after: 1 month
Sponsored by: Apple Inc.
Obtained from: TrustedBSD Project
--
OpenBSM 1.1 alpha 2
- Include files in OpenBSM are now broken out into two parts: library builds
required solely for user space, and system includes, which may also be
required for use in the kernels of systems integrating OpenBSM. Submitted
by Stacey Son.
- Configure option --with-native-includes allows forcing the use of native
include for system includes, rather than the versions bundled with OpenBSM.
This is intended specifically for platforms that ship OpenBSM, have adapted
versions of the system includes in a kernel source tree, and will use the
OpenBSM build infrastructure with an unmodified OpenBSM distribution,
allowing the customized system includes to be used with the OpenBSM build.
Submitted by Stacey Son.
- Various strcpy()'s/strcat()'s have been changed to strlcpy()'s/strlcat()'s
or asprintf(). Added compat/strlcpy.h for Linux.
- Remove compatibility defines for old Darwin token constant names; now only
BSM token names are provided and used.
- Add support for extended header tokens, which contain space for information
on the host generating the record.
- Add support for setting extended host information in the kernel, which is
used for setting host information in extended header tokens. The
audit_control file now supports a "host" parameter which can be used by
auditd to set the information; if not present, the kernel parameters won't
be set and auditd uses unextended headers for records that it generates.
OpenBSM 1.1 alpha 1
- Add option to auditreduce(1) which allows users to invert sense of
matching, such that BSM records that do not match, are selected.
- Fix bug in audit_write() where we commit an incomplete record in the
event there is an error writing the subject token. This was submitted
by Diego Giagio.
- Build support for Mac OS X 10.5.1 submitted by Eric Hall.
- Fix a bug which resulted in host XML attributes not being arguments so
that const strings can be passed as arguments to tokens. This patch was
submitted by Xin LI.
- Modify the -m option so users can select more then one audit event.
- For Mac OS X, added Mach IPC support for audit trigger messages.
- Fixed a bug in getacna() which resulted in a locking problem on Mac OS X.
- Added LOG_PERROR flag to openlog when -d option is used with auditd.
- AUE events added for Mac OS X Leopard system calls.
468 lines
12 KiB
Groff
468 lines
12 KiB
Groff
.\"-
|
|
.\" Copyright (c) 2005 Robert N. M. Watson
|
|
.\" Copyright (c) 2005 Tom Rhodes
|
|
.\" Copyright (c) 2005 Wayne J. Salamon
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#14 $
|
|
.\"
|
|
.Dd July 10, 2008
|
|
.Dt AUDITON 2
|
|
.Os
|
|
.Sh NAME
|
|
.Nm auditon
|
|
.Nd "configure system audit parameters"
|
|
.Sh SYNOPSIS
|
|
.In bsm/audit.h
|
|
.Ft int
|
|
.Fn auditon "int cmd" "void *data" "u_int length"
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Fn auditon
|
|
system call is used to manipulate various audit control operations.
|
|
The
|
|
.Fa data
|
|
argument
|
|
should point to a structure whose type depends on the command.
|
|
The
|
|
.Fa length
|
|
argument
|
|
specifies the size of
|
|
.Fa *data
|
|
in bytes.
|
|
The
|
|
.Fa cmd
|
|
argument
|
|
may be any of the following:
|
|
.Bl -tag -width ".It Dv A_GETPINFO_ADDR"
|
|
.It Dv A_SETPOLICY
|
|
Set audit policy flags.
|
|
The
|
|
.Fa data
|
|
argument
|
|
must point to a
|
|
.Vt long
|
|
value set to one or more the following audit
|
|
policy control values bitwise OR'ed together:
|
|
.Dv AUDIT_CNT ,
|
|
.Dv AUDIT_AHLT ,
|
|
.Dv AUDIT_ARGV ,
|
|
and
|
|
.Dv AUDIT_ARGE .
|
|
If
|
|
.Dv AUDIT_CNT is set, the system will continue even if it becomes low
|
|
on space and discontinue logging events until the low space condition is
|
|
remedied.
|
|
If it is not set, audited events will block until the low space
|
|
condition is remedied.
|
|
Unaudited events, however, are unaffected.
|
|
If
|
|
.Dv AUDIT_AHLT is set, a
|
|
.Xr panic 9
|
|
if it cannot write an event to the global audit log file.
|
|
If
|
|
.Dv AUDIT_ARGV
|
|
is set, then the argument list passed to the
|
|
.Xr execve 2
|
|
system call will be audited. If
|
|
.Dv AUDIT_ARGE
|
|
is set, then the environment variables passed to the
|
|
.Xr execve 2
|
|
system call will be audited. The default policy is none of the audit policy
|
|
control flags set.
|
|
.It Dv A_SETKAUDIT
|
|
Return
|
|
.Er ENOSYS .
|
|
(Not implemented.)
|
|
.It Dv A_SETKMASK
|
|
Set the kernel preselection masks (success and failure).
|
|
The
|
|
.Fa data
|
|
argument
|
|
must point to a
|
|
.Vt au_mask_t
|
|
structure containing the mask values as defined in
|
|
.In bsm/audit.h .
|
|
These masks are used for non-attributable audit event preselection.
|
|
The field
|
|
.Fa am_success
|
|
specifies which classes of successful audit events are to be logged to the
|
|
audit trail. The field
|
|
.Fa am_failure
|
|
specifies which classes of failed audit events are to be logged. The value of
|
|
both fields is the bitwise OR'ing of the audit event classes specified in
|
|
.Fa bsm/audit.h .
|
|
The various audit classes are described more fully in
|
|
.Xr audit_class 5 .
|
|
.It Dv A_SETQCTRL
|
|
Set kernel audit queue parameters.
|
|
The
|
|
.Fa data
|
|
argument
|
|
must point to a
|
|
.Vt au_qctrl_t
|
|
structure (defined in
|
|
.In bsm/audit.h )
|
|
containing the kernel audit queue control settings:
|
|
.Fa aq_hiwater ,
|
|
.Fa aq_lowater ,
|
|
.Fa aq_bufsz ,
|
|
.Fa aq_delay ,
|
|
and
|
|
.Fa aq_minfree .
|
|
The field
|
|
.Fa aq_hiwater
|
|
defines the maximum number of audit record entries in the queue used to store
|
|
the audit records ready for delivery to disk.
|
|
New records are inserted at the tail of the queue and removed from the head.
|
|
For new records which would exceed the
|
|
high water mark, the calling thread is inserted into the wait queue, waiting
|
|
for the audit queue to have enough space available as defined with the field
|
|
.Fa aq_lowater .
|
|
The field
|
|
.Fa aq_bufsz
|
|
defines the maximum length of the audit record that can be supplied with
|
|
.Xr audit 2 .
|
|
The field
|
|
.Fa aq_delay
|
|
is unused.
|
|
The field
|
|
.Fa aq_minfree
|
|
specifies the minimum amount of free blocks on the disk device used to store
|
|
audit records.
|
|
If the value of free blocks falls below the configured
|
|
minimum amount, the kernel informs the audit daemon about low disk space.
|
|
The value is to be specified in percent of free file system blocks.
|
|
A value of 0 results in a disabling of the check.
|
|
.It Dv A_SETSTAT
|
|
Return
|
|
.Er ENOSYS .
|
|
(Not implemented.)
|
|
.It Dv A_SETUMASK
|
|
Return
|
|
.Er ENOSYS .
|
|
(Not implemented.)
|
|
.It Dv A_SETSMASK
|
|
Return
|
|
.Er ENOSYS .
|
|
(Not implemented.)
|
|
.It Dv A_SETCOND
|
|
Set the current auditing condition.
|
|
The
|
|
.Fa data
|
|
argument
|
|
must point to a
|
|
.Vt long
|
|
value containing the new
|
|
audit condition, one of
|
|
.Dv AUC_AUDITING ,
|
|
.Dv AUC_NOAUDIT ,
|
|
or
|
|
.Dv AUC_DISABLED .
|
|
If
|
|
.Dv AUC_NOAUDIT
|
|
is set, then auditing is temporarily suspended. If
|
|
.Dv AUC_AUDITING
|
|
is set, auditing is resumed. If
|
|
.Dv AUC_DISABLED
|
|
is set, the auditing system will
|
|
shutdown, draining all audit records and closing out the audit trail file.
|
|
.It Dv A_SETCLASS
|
|
Set the event class preselection mask for an audit event.
|
|
The
|
|
.Fa data
|
|
argument
|
|
must point to a
|
|
.Vt au_evclass_map_t
|
|
structure containing the audit event and mask.
|
|
The field
|
|
.Fa ec_number
|
|
is the audit event and
|
|
.Fa ec_class
|
|
is the audit class mask. See
|
|
.Xr audit_event 5
|
|
for more information on audit event to class mapping.
|
|
.It Dv A_SETPMASK
|
|
Set the preselection masks for a process.
|
|
The
|
|
.Fa data
|
|
argument
|
|
must point to a
|
|
.Vt auditpinfo_t
|
|
structure that contains the given process's audit
|
|
preselection masks for both success and failure.
|
|
The field
|
|
.Fa ap_pid
|
|
is the process id of the target process.
|
|
The field
|
|
.Fa ap_mask
|
|
must point to a
|
|
.Fa au_mask_t
|
|
structure which holds the preselection masks as described in the
|
|
.Da A_SETKMASK
|
|
section above.
|
|
.It Dv A_SETFSIZE
|
|
Set the maximum size of the audit log file.
|
|
The
|
|
.Fa data
|
|
argument
|
|
must point to a
|
|
.Vt au_fstat_t
|
|
structure with the
|
|
.Va af_filesz
|
|
field set to the maximum audit log file size.
|
|
A value of 0
|
|
indicates no limit to the size.
|
|
.It Dv A_SETKAUDIT
|
|
Return
|
|
.Er ENOSYS .
|
|
(Not implemented.)
|
|
.It Dv A_GETCLASS
|
|
Return the event to class mapping for the designated audit event.
|
|
The
|
|
.Fa data
|
|
argument
|
|
must point to a
|
|
.Vt au_evclass_map_t
|
|
structure. See the
|
|
.Dv A_SETCLASS
|
|
section above for more information.
|
|
.It Dv A_GETKAUDIT
|
|
Return
|
|
.Er ENOSYS .
|
|
(Not implemented.)
|
|
.It Dv A_GETPINFO
|
|
Return the audit settings for a process.
|
|
The
|
|
.Fa data
|
|
argument
|
|
must point to a
|
|
.Vt auditpinfo_t
|
|
structure which will be set to contain
|
|
.Fa ap_auid
|
|
(the audit ID),
|
|
.Fa ap_mask
|
|
(the preselection mask),
|
|
.Fa ap_termid
|
|
(the terminal ID), and
|
|
.Fa ap_asid
|
|
(the audit session ID)
|
|
of the given target process.
|
|
The process ID of the target process is passed
|
|
into the kernel using the
|
|
.Fa ap_pid
|
|
field.
|
|
See the section
|
|
.Dv A_SETPMASK
|
|
above and
|
|
.Xr getaudit 2
|
|
for more information.
|
|
.It Dv A_GETPINFO_ADDR
|
|
Return the extended audit settings for a process.
|
|
The
|
|
.Fa data
|
|
argument
|
|
must point to a
|
|
.Vt auditpinfo_addr_t
|
|
structure which is similar to the
|
|
.Vt auditpinfo_addr_t
|
|
structure described above.
|
|
The exception is the
|
|
.Fa ap_termid
|
|
(the terminal ID) field which points to a
|
|
.Vt au_tid_addr_t
|
|
structure can hold much a larger terminal address and an address type.
|
|
The process ID of the target process is passed into the kernel using the
|
|
.Fa ap_pid
|
|
field.
|
|
See the section
|
|
.Dv A_SETPMASK
|
|
above and
|
|
.Xr getaudit 2
|
|
for more information.
|
|
.It Dv A_GETKMASK
|
|
Return the current kernel preselection masks.
|
|
The
|
|
.Fa data
|
|
argument
|
|
must point to a
|
|
.Vt au_mask_t
|
|
structure which will be set to
|
|
the current kernel preselection masks for non-attributable events.
|
|
.It Dv A_GETPOLICY
|
|
Return the current audit policy setting.
|
|
The
|
|
.Fa data
|
|
argument
|
|
must point to a
|
|
.Vt long
|
|
value which will be set to
|
|
one of the current audit policy flags.
|
|
The audit policy flags are
|
|
described in the
|
|
.Dv A_SETPOLICY
|
|
section above.
|
|
.It Dv A_GETQCTRL
|
|
Return the current kernel audit queue control parameters.
|
|
The
|
|
.Fa data
|
|
argument
|
|
must point to a
|
|
.Vt au_qctrl_t
|
|
structure which will be set to the current
|
|
kernel audit queue control parameters.
|
|
See the
|
|
.Dv A_SETQCTL
|
|
section above for more information.
|
|
.It Dv A_GETFSIZE
|
|
Returns the maximum size of the audit log file.
|
|
The
|
|
.Fa data
|
|
argument
|
|
must point to a
|
|
.Vt au_fstat_t
|
|
structure.
|
|
The
|
|
.Va af_filesz
|
|
field will be set to the maximum audit log file size.
|
|
A value of 0 indicates no limit to the size.
|
|
The
|
|
.Va af_currsz
|
|
field
|
|
will be set to the current audit log file size.
|
|
.It Dv A_GETCWD
|
|
.\" [COMMENTED OUT]: Valid description, not yet implemented.
|
|
.\" Return the current working directory as stored in the audit subsystem.
|
|
Return
|
|
.Er ENOSYS .
|
|
(Not implemented.)
|
|
.It Dv A_GETCAR
|
|
.\" [COMMENTED OUT]: Valid description, not yet implemented.
|
|
.\"Stores and returns the current active root as stored in the audit
|
|
.\"subsystem.
|
|
Return
|
|
.Er ENOSYS .
|
|
(Not implemented.)
|
|
.It Dv A_GETSTAT
|
|
.\" [COMMENTED OUT]: Valid description, not yet implemented.
|
|
.\"Return the statistics stored in the audit system.
|
|
Return
|
|
.Er ENOSYS .
|
|
(Not implemented.)
|
|
.It Dv A_GETCOND
|
|
Return the current auditing condition.
|
|
The
|
|
.Fa data
|
|
argument
|
|
must point to a
|
|
.Vt long
|
|
value which will be set to
|
|
the current audit condition, one of
|
|
.Dv AUC_AUDITING ,
|
|
.Dv AUC_NOAUDIT
|
|
or
|
|
.Dv AUC_DISABLED .
|
|
See the
|
|
.Dv A_SETCOND
|
|
section above for more information.
|
|
.It Dv A_SENDTRIGGER
|
|
Send a trigger to the audit daemon.
|
|
The
|
|
.Fa data
|
|
argument
|
|
must point to a
|
|
.Vt long
|
|
value set to one of the acceptable
|
|
trigger values:
|
|
.Dv AUDIT_TRIGGER_LOW_SPACE
|
|
(low disk space where the audit log resides),
|
|
.Dv AUDIT_TRIGGER_OPEN_NEW
|
|
(open a new audit log file),
|
|
.Dv AUDIT_TRIGGER_READ_FILE
|
|
(read the
|
|
.Pa audit_control
|
|
file),
|
|
.Dv AUDIT_TRIGGER_CLOSE_AND_DIE
|
|
(close the current log file and exit),
|
|
or
|
|
.Dv AUDIT_TRIGGER_NO_SPACE
|
|
(no disk space left for audit log file).
|
|
.El
|
|
.Sh RETURN VALUES
|
|
.Rv -std
|
|
.Sh ERRORS
|
|
The
|
|
.Fn auditon
|
|
function will fail if:
|
|
.Bl -tag -width Er
|
|
.It Bq Er ENOSYS
|
|
Returned by options not yet implemented.
|
|
.It Bq Er EFAULT
|
|
A failure occurred while data transferred to or from
|
|
the kernel failed.
|
|
.It Bq Er EINVAL
|
|
Illegal argument was passed by a system call.
|
|
.It Bq Er EPERM
|
|
The process does not have sufficient permission to complete
|
|
the operation.
|
|
.El
|
|
.Pp
|
|
The
|
|
.Dv A_SENDTRIGGER
|
|
command is specific to the
|
|
.Fx
|
|
and Mac OS X implementations, and is not present in Solaris.
|
|
.Sh SEE ALSO
|
|
.Xr audit 2 ,
|
|
.Xr auditctl 2 ,
|
|
.Xr getaudit 2 ,
|
|
.Xr getaudit_addr 2 ,
|
|
.Xr getauid 2 ,
|
|
.Xr setaudit 2 ,
|
|
.Xr setaudit_addr 2 ,
|
|
.Xr setauid 2 ,
|
|
.Xr libbsm 3
|
|
.Sh HISTORY
|
|
The OpenBSM implementation was created by McAfee Research, the security
|
|
division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
|
|
It was subsequently adopted by the TrustedBSD Project as the foundation for
|
|
the OpenBSM distribution.
|
|
.Sh AUTHORS
|
|
.An -nosplit
|
|
This software was created by McAfee Research, the security research division
|
|
of McAfee, Inc., under contract to Apple Computer Inc.
|
|
Additional authors include
|
|
.An Wayne Salamon ,
|
|
.An Robert Watson ,
|
|
and SPARTA Inc.
|
|
.Pp
|
|
The Basic Security Module (BSM) interface to audit records and audit event
|
|
stream format were defined by Sun Microsystems.
|
|
.Pp
|
|
This manual page was written by
|
|
.An Tom Rhodes Aq trhodes@FreeBSD.org ,
|
|
.An Robert Watson Aq rwatson@FreeBSD.org ,
|
|
and
|
|
.An Wayne Salamon Aq wsalamon@FreeBSD.org .
|