FreeBSD 6.2 manual page repository

FreeBSD is a free computer operating system based on BSD UNIX originally. Many IT companies, like DeployIS is using it to provide an up-to-date, stable operating system.

auditon - Configure system audit parameters

 

NAME

      auditon - Configure system audit parameters
 

SYNOPSIS

      #include <bsm/audit.h>
 
      int
      auditon(int cmd, void *data, u_int length);
 

DESCRIPTION

      The auditon system call is used to manipulate various audit control oper‐
      ations.  *data should point to a structure whose type depends on the com‐
      mand.  length specifies the size of the data in bytes.  cmd may be any of
      the following:
 
      A_SETPOLICY      Set audit policy flags.  *data must point to a long
                       value set to one of the audit policy control values
                       defined in audit.h.  Currently, only AUDIT_CNT and
                       AUDIT_AHLT are implemented.  In the AUDIT_CNT case, the
                       action will continue regardless if an event will not be
                       audited.  In the AUDIT_AHLT case, a panic(9) will result
                       if an event will not be written to the audit log file.
 
      A_SETKAUDIT      Return ENOSYS.
 
      A_SETKMASK       Set the kernel preselection masks (success and failure).
                       *data must point to a au_mask_t structure containing the
                       mask values.  These masks are used for non-attributable
                       audit event preselection.
 
      A_SETQCTRL       Set kernel audit queue parameters.  *data must point to
                       a au_qctrl_t structure containing the kernel audit queue
                       control settings: high water, low water, output buffer
                       size, percent min free disk space, and delay (not cur‐
                       rently used).
 
      A_SETSTAT        Return ENOSYS.
 
      A_SETUMASK       Return ENOSYS.
 
      A_SETSMASK       Return ENOSYS.
 
      A_SETCOND        Set the current auditing condition.  *data must point to
                       a long value containing the new audit condition, one of
                       AUC_AUDITING, AUC_NOAUDIT, or AUC_DISABLED.
 
      A_SETCLASS       Set the event class preselection mask for an audit
                       event.  *data must point to a au_evclass_map_t structure
                       containing the audit event and mask.
 
      A_SETPMASK       Set the preselection masks for a process.  *data must
                       point to a auditpinfo_t structure that contains the
                       given process’s audit preselection masks for both suc‐
                       cess and failure.
 
      A_SETFSIZE       Set the maximum size of the audit log file.  *data must
                       point to a au_fstat_t structure with the af_filesz field
                       set to the maximum audit log file size. A value of 0
                       indicates no limit to the size.
 
      A_SETKAUDIT      Return ENOSYS.
 
      A_GETCLASS       Return the event to class mapping for the designated
                       audit event.  *data must point to a au_evclass_map_t
                       structure.
 
      A_GETKAUDIT      Return ENOSYS.
 
      A_GETPINFO       Return the audit settings for a process.  *data must
                       point to a auditpinfo_t structure which will be set to
                       contain the audit ID, preselection mask, terminal ID,
                       and audit session ID of the given process.
 
      A_GETPINFO_ADDR  Return ENOSYS.
 
      A_GETKMASK       Return the current kernel preselection masks.  *data
                       must point to a au_mask_t structure which will be set to
                       the current kernel preselection masks for non-
                       attributable events.
 
      A_GETPOLICY      Return the current audit policy setting.  *data must
                       point to a long value which will be set to one of the
                       current audit policy flags.  Currently, only AUDIT_CNT
                       and AUDIT_AHLT are implemented.
 
      A_GETQCTRL       Return the current kernel audit queue control parame‐
                       ters.  *data must point to a au_qctrl_t structure which
                       will be set to the current kernel audit queue control
                       parameters.
 
      A_GETFSIZE       Returns the maximum size of the audit log file.  *data
                       must point to a au_fstat_t structure. The af_filesz
                       field will be set to the maximum audit log file size.  A
                       value of 0 indicates no limit to the size.  The
                       af_currsz will be set to the current audit log file
                       size.
 
      A_GETCWD         Return ENOSYS.
 
      A_GETCAR         Return ENOSYS.
 
      A_GETSTAT        Return ENOSYS.
 
      A_GETCOND        Return the current auditing condition.  *data must point
                       to a long value which will be set to the current audit
                       condition, either AUC_AUDITING or AUC_NOAUDIT.
 
      A_SENDTRIGGER    Send a trigger to the audit daemon.  *data must point to
                       a long value set to one of the acceptable trigger val‐
                       ues: AUDIT_TRIGGER_LOW_SPACE (low disk space where the
                       audit log resides), AUDIT_TRIGGER_OPEN_NEW (open a new
                       audit log file), AUDIT_TRIGGER_READ_FILE (read the
                       audit_control file), AUDIT_TRIGGER_CLOSE_AND_DIE (close
                       the current log file and exit), or
                       AUDIT_TRIGGER_NO_SPACE (no disk space left for audit log
                       file).
      Upon successful completion, the value 0 is returned; otherwise the
      value -1 is returned and the global variable errno is set to indicate the
      error.
 

ERRORS

      The auditon() function will fail if:
 
      [ENOSYS]           Returned by options not yet implemented.
 
      [EFAULT]           A failure occurred while data transferred to or from
                         the kernel failed.
 
      [EINVAL]           Illegal argument was passed by a system call.
 
      [EPERM]            The process does not have sufficient permission to
                         complete the operation.
 
      The A_SENDTRIGGER command is specific to the FreeBSD and Mac OS X imple‐
      mentations, and is not present in Solaris.
      audit(2), auditctl(2), getauid(2), setauid(2), getaudit(2), setaudit(2),
      getaudit_addr(2), setaudit_addr(2), libbsm(3)
 

AUTHORS

      This software was created by McAfee Research, the security research divi‐
      sion of McAfee, Inc., under contract to Apple Computer Inc.  Additional
      authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
 
      The Basic Security Module (BSM) interface to audit records and audit
      event stream format were defined by Sun Microsystems.
 
      This manual page was written by Tom Rhodes 〈trhodes@FreeBSD.org〉,
      Robert Watson 〈rwatson@FreeBSD.org〉, and
      Wayne Salamon 〈wsalamon@FreeBSD.org〉.
 

HISTORY

      The OpenBSM implementation was created by McAfee Research, the security
      division of McAfee Inc., under contract to Apple Computer Inc. in 2003.
      It was subsequently adopted by the TrustedBSD Project as the foundation
      for the OpenBSM distribution.
 

Sections

Based on BSD UNIX
FreeBSD is an advanced operating system for x86 compatible (including Pentium and Athlon), amd64 compatible (including Opteron, Athlon64, and EM64T), UltraSPARC, IA-64, PC-98 and ARM architectures. It is derived from BSD, the version of UNIX developed at the University of California, Berkeley. It is developed and maintained by a large team of individuals. Additional platforms are in various stages of development.