1auditconfig(1M) System Administration Commands auditconfig(1M)
2
3
4
6 auditconfig - configure auditing
7
9 auditconfig option...
10
11
13 auditconfig provides a command line interface to get and set kernel
14 audit parameters.
15
16
17 This functionality is available only if the Solaris Auditing feature
18 has been enabled. See bsmconv(1M) for more information.
19
20
21 The setting of the perzone policy determines the scope of the audit
22 setting controlled by auditconfig. If perzone is set, then the values
23 reflect the local zone except as noted. Otherwise, the settings are for
24 the entire system. Any restriction based on the perzone setting is
25 noted for each option to which it applies.
26
27
28 A non-global zone administrator can set all audit policy options except
29 perzone and ahlt. perzone and ahlt apply only to the global zone; set‐
30 ting these policies requires the privileges of a global zone adminis‐
31 trator. perzone and ahlt are described under the -setpolicy option,
32 below.
33
35 -aconf
36
37 Set the non-attributable audit mask from the audit_control(4) file.
38 For example:
39
40 # auditconfig -aconf
41 Configured non-attributable events.
42
43
44
45
46 -audit event sorf retval string
47
48 This command constructs an audit record for audit event event using
49 the process's audit characteristics containing a text token string.
50 The return token is constructed from the sorf (success/failure
51 flag) and the retval (return value). The event is type char*, the
52 sorf is 0/1 for success/failure, retval is an errno value, string
53 is type *char. This command is useful for constructing an audit
54 record with a shell script. An example of this option:
55
56 # auditconfig -audit AUE_ftpd 0 0 "test string"
57 #
58
59 audit record from audit trail:
60 header,76,2,ftp access,,Fri Dec 08 08:44:02 2000, + 669 msec
61 subject,abc,root,other,root,other,104449,102336,235 197121 elbow
62 text,test string
63 return,success,0
64
65
66
67
68 -chkaconf
69
70 Checks the configuration of the non-attributable events set in the
71 kernel against the entries in audit_control(4). If the runtime
72 class mask of a kernel audit event does not match the configured
73 class mask, a mismatch is reported.
74
75
76 -chkconf
77
78 Check the configuration of kernel audit event to class mappings. If
79 the runtime class mask of a kernel audit event does not match the
80 configured class mask, a mismatch is reported.
81
82
83 -conf
84
85 Configure kernel audit event to class mappings. Runtime class map‐
86 pings are changed to match those in the audit event to class data‐
87 base file.
88
89
90 -getasid
91
92 Prints the audit session ID of the current process. For example:
93
94 # auditconfig -getasid
95 audit session id = 102336
96
97
98
99
100 -getaudit
101
102 Returns the audit characteristics of the current process.
103
104 # auditconfig -getaudit
105 audit id = abc(666)
106 process preselection mask = lo(0x1000,0x1000)
107 terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77)
108 audit session id = 102336
109
110
111
112
113 -getauid
114
115 Prints the audit ID of the current process. For example:
116
117 # auditconfig -getauid
118 audit id = abc(666)
119
120
121
122
123 -getcar
124
125 Prints current active root location (anchored from root [or local
126 zone root] at system boot). For example:
127
128 # auditconfig -getcar
129 current active root = /
130
131
132
133
134 -getclass event
135
136 Display the preselection mask associated with the specified kernel
137 audit event. event is the kernel event number or event name.
138
139
140 -getcond
141
142 Display the kernel audit condition. The condition displayed is the
143 literal string auditing meaning auditing is enabled and turned on
144 (the kernel audit module is constructing and queuing audit
145 records); noaudit, meaning auditing is enabled but turned off (the
146 kernel audit module is not constructing and queuing audit records);
147 disabled, meaning that the audit module has not been enabled; or
148 nospace, meaning there is no space for saving audit records. See
149 auditon(2) and auditd(1M) for further information.
150
151
152 -getestate event
153
154 For the specified event (string or event number), print out classes
155 event has been assigned. For example:
156
157 # auditconfig -getestate 20
158 audit class mask for event AUE_REBOOT(20) = 0x800
159 # auditconfig -getestate AUE_RENAME
160 audit class mask for event AUE_RENAME(42) = 0x30
161
162
163
164
165 -getkaudit
166
167 Get audit characteristics of the current zone. For example:
168
169 # auditconfig -getkaudit
170 audit id = unknown(-2)
171 process preselection mask = lo,na(0x1400,0x1400)
172 terminal id (maj,min,host) = 0,0,(0.0.0.0)
173 audit session id = 0
174
175
176 If the audit policy perzone is not set, the terminal id is that of
177 the global zone. Otherwise, it is the terminal id of the local
178 zone.
179
180
181 -getkmask
182
183 Get non-attributable pre-selection mask for the current zone. For
184 example:
185
186 # auditconfig -getkmask
187 audit flags for non-attributable events = lo,na(0x1400,0x1400)
188
189
190 If the audit policy perzone is not set, the kernel mask is that of
191 the global zone. Otherwise, it is that of the local zone.
192
193
194 -getpinfo pid
195
196 Display the audit ID, preselection mask, terminal ID, and audit
197 session ID for the specified process.
198
199
200 -getpolicy
201
202 Display the kernel audit policy. The ahlt and perzone policies
203 reflect the settings from the global zone. If perzone is set, all
204 other policies reflect the local zone's settings. If perzone is not
205 set, the policies are machine-wide.
206
207
208 -getcwd
209
210 Prints current working directory (anchored from zone root at system
211 boot). For example:
212
213 # cd /usr/tmp
214 # auditconfig -getcwd
215 current working directory = /var/tmp
216
217
218
219
220 -getqbufsz
221
222 Get audit queue write buffer size. For example:
223
224 # auditconfig -getqbufsz
225 audit queue buffer size (bytes) = 1024
226
227
228
229
230 -getqctrl
231
232 Get audit queue write buffer size, audit queue hiwater mark, audit
233 queue lowater mark, audit queue prod interval (ticks).
234
235 # auditconfig -getqctrl
236 audit queue hiwater mark (records) = 100
237 audit queue lowater mark (records) = 10
238 audit queue buffer size (bytes) = 1024
239 audit queue delay (ticks) = 20
240
241
242
243
244 -getqdelay
245
246 Get interval at which audit queue is prodded to start output. For
247 example:
248
249 # auditconfig -getqdelay
250 audit queue delay (ticks) = 20
251
252
253
254
255 -getqhiwater
256
257 Get high water point in undelivered audit records when audit gener‐
258 ation will block. For example:
259
260 # ./auditconfig -getqhiwater
261 audit queue hiwater mark (records) = 100
262
263
264
265
266 -getqlowater
267
268 Get low water point in undelivered audit records where blocked pro‐
269 cesses will resume. For example:
270
271 # auditconfig -getqlowater
272 audit queue lowater mark (records) = 10
273
274
275
276
277 -getstat
278
279 Print current audit statistics information. For example:
280
281 # auditconfig -getstat
282 gen nona kern aud ctl enq wrtn wblk rblk drop tot mem
283 910 1 725 184 0 910 910 0 231 0 88 48
284
285
286 See auditstat(1M) for a description of the headings in -getstat
287 output.
288
289
290 -gettid
291
292 Print audit terminal ID for current process. For example:
293
294 # auditconfig -gettid
295 terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77)
296
297
298
299
300 -lsevent
301
302 Display the currently configured (runtime) kernel and user level
303 audit event information.
304
305
306 -lspolicy
307
308 Display the kernel audit policies with a description of each pol‐
309 icy.
310
311
312 -setasid session-ID [cmd]
313
314 Execute shell or cmd with specified session-ID. For example:
315
316 # ./auditconfig -setasid 2000 /bin/ksh
317 #
318 # ./auditconfig -getpinfo 104485
319 audit id = abc(666)
320 process preselection mask = lo(0x1000,0x1000)
321 terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77)
322 audit session id = 2000
323
324
325
326
327 -setaudit audit-ID preselect_flags term-ID session-ID [cmd]
328
329 Execute shell or cmd with the specified audit characteristics.
330
331
332 -setauid audit-ID [cmd]
333
334 Execute shell or cmd with the specified audit-ID.
335
336
337 -setclass event audit_flag[,audit_flag ...]
338
339 Map the kernel event event to the classes specified by audit_flags.
340 event is an event number or name. An audit_flag is a two character
341 string representing an audit class. See audit_control(4) for fur‐
342 ther information. If perzone is not set, this option is valid only
343 in the global zone.
344
345
346 -setkaudit IP-address_type IP_address
347
348 Set IP address of machine to specified values. IP-address_type is
349 ipv6 or ipv4.
350
351 If perzone is not set, this option is valid only in the global
352 zone.
353
354
355 -setkmask audit_flags
356
357 Set non-attributes selection flags of machine.
358
359 If perzone is not set, this option is valid only in the global
360 zone.
361
362
363 -setpmask pid flags
364
365 Set the preselection mask of the specified process. flags is the
366 ASCII representation of the flags similar to that in audit_con‐
367 trol(4).
368
369 If perzone is not set, this option is valid only in the global
370 zone.
371
372
373 -setpolicy [+|-]policy_flag[,policy_flag ...]
374
375 Set the kernel audit policy. A policy policy_flag is literal
376 strings that denotes an audit policy. A prefix of + adds the poli‐
377 cies specified to the current audit policies. A prefix of - removes
378 the policies specified from the current audit policies. No policies
379 can be set from a local zone unless the perzone policy is first set
380 from the global zone. The following are the valid policy flag
381 strings (auditconfig -lspolicy also lists the current valid audit
382 policy flag strings):
383
384 all Include all policies that apply to the current
385 zone.
386
387
388 ahlt Panic is called and the system dumps core if an
389 asynchronous audit event occurs that cannot be
390 delivered because the audit queue has reached the
391 high-water mark or because there are insufficient
392 resources to construct an audit record. By default,
393 records are dropped and a count is kept of the num‐
394 ber of dropped records.
395
396
397 arge Include the execv(2) system call environment argu‐
398 ments to the audit record. This information is not
399 included by default.
400
401
402 argv Include the execv(2) system call parameter argu‐
403 ments to the audit record. This information is not
404 included by default.
405
406
407 cnt Do not suspend processes when audit resources are
408 exhausted. Instead, drop audit records and keep a
409 count of the number of records dropped. By default,
410 process are suspended until audit resources become
411 available.
412
413
414 group Include the supplementary group token in audit
415 records. By default, the group token is not
416 included.
417
418
419 none Include no policies. If used in other than the
420 global zone, the ahlt and perzone policies are not
421 changed.
422
423
424 path Add secondary path tokens to audit record. These
425 are typically the pathnames of dynamically linked
426 shared libraries or command interpreters for shell
427 scripts. By default, they are not included.
428
429
430 perzone Maintain separate configuration, queues, and logs
431 for each zone and execute a separate version of
432 auditd(1M) for each zone.
433
434
435 public Audit public files. By default, read-type opera‐
436 tions are not audited for certain files which meet
437 public characteristics: owned by root, readable by
438 all, and not writable by all.
439
440
441 trail Include the trailer token in every audit record. By
442 default, the trailer token is not included.
443
444
445 seq Include the sequence token as part of every audit
446 record. By default, the sequence token is not
447 included. The sequence token attaches a sequence
448 number to every audit record.
449
450
451 windata_down Include in an audit record any downgraded data
452 moved between windows. This policy is available
453 only if the system is configured with Trusted
454 Extensions. By default, this information is not
455 included.
456
457
458 windata_up Include in an audit record any upgraded data moved
459 between windows. This policy is available only if
460 the system is configured with Trusted Extensions.
461 By default, this information is not included.
462
463
464 zonename Include the zonename token as part of every audit
465 record. By default, the zonename token is not
466 included. The zonename token gives the name of the
467 zone from which the audit record was generated.
468
469
470
471 -setqbufsz buffer_size
472
473 Set the audit queue write buffer size (bytes).
474
475
476 -setqctrl hiwater lowater bufsz interval
477
478 Set the audit queue write buffer size (bytes), hiwater audit record
479 count, lowater audit record count, and wakeup interval (ticks).
480 Valid within a local zone only if perzone is set.
481
482
483 -setqdelay interval
484
485 Set the audit queue wakeup interval (ticks). This determines the
486 interval at which the kernel pokes the audit queue, to write audit
487 records to the audit trail. Valid within a local zone only if per‐
488 zone is set.
489
490
491 -setqhiwater hiwater
492
493 Set the number of undelivered audit records in the audit queue at
494 which audit record generation blocks. Valid within a local zone
495 only if perzone is set.
496
497
498 -setqlowater lowater
499
500 Set the number of undelivered audit records in the audit queue at
501 which blocked auditing processes unblock. Valid within a local zone
502 only if perzone is set.
503
504
505 -setsmask asid flags
506
507 Set the preselection mask of all processes with the specified audit
508 session ID. Valid within a local zone only if perzone is set.
509
510
511 -setstat
512
513 Reset audit statistics counters. Valid within a local zone only if
514 perzone is set.
515
516
517 -setumask auid flags
518
519 Set the preselection mask of all processes with the specified audit
520 ID. Valid within a local zone only if perzone is set.
521
522
524 Example 1 Using auditconfig
525
526
527 The following is an example of an auditconfig program:
528
529
530 #
531 # map kernel audit event number 10 to the "fr" audit class
532 #
533 % auditconfig -setclass 10 fr
534
535 #
536 # turn on inclusion of exec arguments in exec audit records
537 #
538 % auditconfig -setpolicy +argv
539
540
541
543 0 Successful completion.
544
545
546 1 An error occurred.
547
548
550 /etc/security/audit_event Stores event definitions used in the audit
551 system.
552
553
554 /etc/security/audit_class Stores class definitions used in the audit
555 system.
556
557
559 See attributes(5) for descriptions of the following attributes:
560
561
562
563
564 ┌─────────────────────────────┬─────────────────────────────┐
565 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
566 ├─────────────────────────────┼─────────────────────────────┤
567 │Availability │SUNWcsu │
568 ├─────────────────────────────┼─────────────────────────────┤
569 │Interface Stability │Committed │
570 └─────────────────────────────┴─────────────────────────────┘
571
573 audit(1M), auditd(1M), auditstat(1M), bsmconv(1M), praudit(1M), audi‐
574 ton(2), execv(2), audit_class(4), audit_control(4), audit_event(4),
575 attributes(5), audit_binfile(5)
576
577
578 See the section on Solaris Auditing in System Administration Guide:
579 Security Services.
580
582 If plugin output is selected using audit_control(4), the behavior of
583 the system with respect to the -setpolicy +cnt and the -setqhiwater
584 options is modified slightly. If -setpolicy +cnt is set, data will con‐
585 tinue to be sent to the selected plugin, even though output to the
586 binary audit log is stopped, pending the freeing of disk space. If
587 -setpolicy -cnt is used, the blocking behavior is as described under
588 OPTIONS, above. The value set for the queue high water mark is used
589 within auditd as the default value for its queue limits unless overrid‐
590 den by means of the qsize attribute as described in audit_control(4).
591
592
593 The auditconfig options that modify or display process-based informa‐
594 tion are not affected by the perzone policy. Those that modify system
595 audit data such as the terminal id and audit queue parameters are valid
596 only in the global zone, unless the perzone policy is set. The display
597 of a system audit reflects the local zone if perzone is set. Otherwise,
598 it reflects the settings of the global zone.
599
600
601 The -setcond option has been removed. Use audit(1M) to enable or dis‐
602 able auditing.
603
604
605 The -getfsize and -setfsize options have been removed. Use audit_bin‐
606 file(5) p_fsize to set the audit file size.
607
608
609
610SunOS 5.11 14 Sep 2009 auditconfig(1M)