1auditon(2) System Calls auditon(2)
2
3
4
6 auditon - manipulate auditing
7
9 cc [ flag... ] file... -lbsm -lsocket -lnsl [ library... ]
10 #include <sys/param.h>
11 #include <bsm/libbsm.h>
12
13 int auditon(int cmd, caddr_t data, int length);
14
15
17 The auditon() function performs various audit subsystem control opera‐
18 tions. The cmd argument designates the particular audit control com‐
19 mand. The data argument is a pointer to command-specific data. The
20 length argument is the length in bytes of the command-specific data.
21
22
23 The following commands are supported:
24
25 A_GETCOND
26
27 Return the system audit on/off/disabled condition in the integer
28 pointed to by data. The following values can be returned:
29
30 AUC_AUDITING Auditing has been turned on.
31
32
33 AUC_DISABLED Auditing system has not been enabled.
34
35
36 AUC_NOAUDIT Auditing has been turned off.
37
38
39 AUC_NOSPACE Auditing has blocked due to lack of space in audit
40 partition.
41
42
43
44 A_SETCOND
45
46 Set the system's audit on/off condition to the value in the integer
47 pointed to by data. The Solaris Audit subsystem must be enabled by
48 bsmconv(1M) before auditing can be turned on. The following audit
49 states can be set:
50
51 AUC_AUDITING Turns on audit record generation.
52
53
54 AUC_NOAUDIT Turns off audit record generation.
55
56
57
58 A_GETCLASS
59
60 Return the event to class mapping for the designated audit event.
61 The data argument points to the au_evclass_map structure containing
62 the event number. The preselection class mask is returned in the
63 same structure.
64
65
66 A_SETCLASS
67
68 Set the event class preselection mask for the designated audit
69 event. The data argument points to the au_evclass_map structure
70 containing the event number and class mask.
71
72
73 A_GETKMASK
74
75 Return the kernel preselection mask in the au_mask structure
76 pointed to by data. This is the mask used to preselect non-attrib‐
77 utable audit events.
78
79
80 A_SETKMASK
81
82 Set the kernel preselection mask. The data argument points to the
83 au_mask structure containing the class mask. This is the mask used
84 to preselect non-attributable audit events.
85
86
87 A_GETPINFO
88
89 Return the audit ID, preselection mask, terminal ID and audit ses‐
90 sion ID of the specified process in the auditpinfo structure
91 pointed to by data.
92
93 Note that A_GETPINFO can fail if the termial ID contains a network
94 address longer than 32 bits. In this case, the A_GETPINFO_ADDR com‐
95 mand should be used.
96
97
98 A_GETPINFO_ADDR
99
100 Returns the audit ID, preselection mask, terminal ID and audit ses‐
101 sion ID of the specified process in the auditpinfo_addr structure
102 pointed to by data.
103
104
105 A_SETPMASK
106
107 Set the preselection mask of the specified process. The data argu‐
108 ment points to the auditpinfo structure containing the process ID
109 and the preselection mask. The other fields of the structure are
110 ignored and should be set to NULL.
111
112
113 A_SETUMASK
114
115 Set the preselection mask for all processes with the specified
116 audit ID. The data argument points to the auditinfo structure con‐
117 taining the audit ID and the preselection mask. The other fields of
118 the structure are ignored and should be set to NULL.
119
120
121 A_SETSMASK
122
123 Set the preselection mask for all processes with the specified
124 audit session ID. The data argument points to the auditinfo struc‐
125 ture containing the audit session ID and the preselection mask. The
126 other fields of the structure are ignored and should be set to
127 NULL.
128
129
130 A_GETQCTRL
131
132 Return the kernel audit queue control parameters. These control the
133 high and low water marks of the number of audit records allowed in
134 the audit queue. The high water mark is the maximum allowed number
135 of undelivered audit records. The low water mark determines when
136 threads blocked on the queue are wakened. Another parameter con‐
137 trols the size of the data buffer used to write data to the audit
138 trail. There is also a parameter that specifies a maximum delay
139 before data is attempted to be written to the audit trail. The
140 audit queue parameters are returned in the au_qctrl structure
141 pointed to by data.
142
143
144 A_SETQCTRL
145
146 Set the kernel audit queue control parameters as described above in
147 the A_GETQCTRL command. The data argument points to the au_qctrl
148 structure containing the audit queue control parameters. The
149 default and maximum values 'A/B' for the audit queue control param‐
150 eters are:
151
152 high water 100/10000 (audit records)
153
154
155 low water 10/1024 (audit records)
156
157
158 output buffer size 1024/1048576 (bytes)
159
160
161 delay 20/20000 (hundredths second)
162
163
164
165 A_GETCWD
166
167 Return the current working directory as kept by the audit subsys‐
168 tem. This is a path anchored on the real root, rather than on the
169 active root. The data argument points to a buffer into which the
170 path is copied. The length argument is the length of the buffer.
171
172
173 A_GETCAR
174
175 Return the current active root as kept by the audit subsystem. This
176 path can be used to anchor an absolute path for a path token gener‐
177 ated by an application. The data argument points to a buffer into
178 which the path is copied. The length argument is the length of the
179 buffer.
180
181
182 A_GETSTAT
183
184 Return the system audit statistics in the audit_stat structure
185 pointed to by data.
186
187
188 A_SETSTAT
189
190 Reset system audit statistics values. The kernel statistics value
191 is reset if the corresponding field in the statistics structure
192 pointed to by the data argument is CLEAR_VAL. Otherwise, the value
193 is not changed.
194
195
196 A_GETPOLICY
197
198 Return the audit policy flags in the integer pointed to by data.
199
200
201 A_SETPOLICY
202
203 Set the audit policy flags to the values in the integer pointed to
204 by data. The following policy flags are recognized:
205
206 AUDIT_CNT
207
208 Do not suspend processes when audit storage is full or inacces‐
209 sible. The default action is to suspend processes until storage
210 becomes available.
211
212
213 AUDIT_AHLT
214
215 Halt the machine when a non-attributable audit record can not
216 be delivered. The default action is to count the number of
217 events that could not be recorded.
218
219
220 AUDIT_ARGV
221
222 Include in the audit record the argument list for a member of
223 the exec(2) family of functions. The default action is not to
224 include this information.
225
226
227 AUDIT_ARGE
228
229 Include the environment variables for the execv(2) function in
230 the audit record. The default action is not to include this
231 information.
232
233
234 AUDIT_SEQ
235
236 Add a sequence token to each audit record. The default action
237 is not to include it.
238
239
240 AUDIT_TRAIL
241
242 Append a trailer token to each audit record. The default action
243 is not to include it.
244
245
246 AUDIT_GROUP
247
248 Include the supplementary groups list in audit records. The
249 default action is not to include it.
250
251
252 AUDIT_PATH
253
254 Include secondary paths in audit records. Examples of secondary
255 paths are dynamically loaded shared library modules and the
256 command shell path for executable scripts. The default action
257 is to include only the primary path from the system call.
258
259
260 AUDIT_WINDATA_DOWN
261
262 Include in an audit record any downgraded data moved between
263 windows. This policy is available only if the system is config‐
264 ured with Trusted Extensions. By default, this information is
265 not included.
266
267
268 AUDIT_WINDATA_UP
269
270 Include in an audit record any upgraded data moved between win‐
271 dows. This policy is available only if the system is configured
272 with Trusted Extensions. By default, this information is not
273 included.
274
275
276 AUDIT_PERZONE
277
278 Enable auditing for each local zone. If not set, audit records
279 from all zones are collected in a single log accessible in the
280 global zone and certain auditconfig(1M) operations are disal‐
281 lowed. This policy can be set only from the global zone.
282
283
284 AUDIT_ZONENAME
285
286 Generate a zone ID token with each audit record.
287
288
289
291 Upon successful completion, auditon() returns 0. Otherwise, −1 is
292 returned and errno is set to indicate the error.
293
295 The auditon() function will fail if:
296
297 E2BIG The length field for the command was too small to hold the
298 returned value.
299
300
301 EFAULT The copy of data to/from the kernel failed.
302
303
304 EINVAL One of the arguments was illegal, Solaris Audit has not been
305 installed, or the operation is not valid from a local zone.
306
307
308 EPERM The {PRIV_SYS_AUDIT} privilege is not asserted in the effec‐
309 tive set of the calling process.
310
311 Neither the {PRIV_PROC_AUDIT} nor the {PRIV_SYS_AUDIT} privi‐
312 lege is asserted in the effective set of the calling process
313 and the command is one of A_GETCAR, A_GETCLASS, A_GETCOND,
314 A_GETCWD, A_GETPINFO, A_GETPOLICY.
315
316
318 The auditon() function can be invoked only by processes with appropri‐
319 ate privileges.
320
321
322 The use of auditon() to change system audit state is permitted only in
323 the global zone. From any other zone auditon() returns −1 with errno
324 set to EPERM. The following auditon() commands are permitted only in
325 the global zone: A_SETCOND, A_SETCLASS, A_SETKMASK, A_SETQCTRL, A_SET‐
326 STAT, A_SETFSIZE, and A_SETPOLICY. All other auditon() commands are
327 valid from any zone.
328
330 See attributes(5) for descriptions of the following attributes:
331
332
333
334
335 ┌─────────────────────────────┬─────────────────────────────┐
336 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
337 ├─────────────────────────────┼─────────────────────────────┤
338 │Interface Stability │Committed │
339 ├─────────────────────────────┼─────────────────────────────┤
340 │MT-Level │MT-Safe │
341 └─────────────────────────────┴─────────────────────────────┘
342
344 auditconfig(1M), auditd(1M), bsmconv(1M), audit(2), exec(2),
345 audit.log(4), attributes(5), privileges(5)
346
348 The functionality described in this man page is available only if the
349 Solaris Auditing has been enabled. See bsmconv(1M) for more informa‐
350 tion.
351
352
353 The auditon options that modify or display process-based information
354 are not affected by the "perzone" audit policy. Those that modify sys‐
355 tem audit data such as the terminal ID and audit queue parameters are
356 valid only in the global zone unless the "perzone" policy is set. The
357 "get" options for system audit data reflect the local zone if "perzone"
358 is set; otherwise they reflects the settings of the global zone.
359
360
361
362SunOS 5.11 6 Apr 2009 auditon(2)