1auditon(2) System Calls auditon(2)
2
6 auditon - manipulate auditing
7
9 cc [ flag... ] file... -lbsm -lsocket -lnsl [ library... ]
10 #include <sys/param.h>
11 #include <bsm/libbsm.h>
12 int auditon(int cmd, caddr_t data, int length);
14
17 The auditon() function performs various audit subsystem control opera‐
18 tions. The cmd argument designates the particular audit control com‐
19 mand. The data argument is a pointer to command-specific data. The
20 length argument is the length in bytes of the command-specific data.
21 The following commands are supported:
24 A_GETCOND
26 Return the system audit on/off/disabled condition in the integer
28 pointed to by data. The following values can be returned:
29 AUC_AUDITING Auditing has been turned on.
31 AUC_DISABLED Auditing system has not been enabled.
34 AUC_NOAUDIT Auditing has been turned off.
37 AUC_NOSPACE Auditing has blocked due to lack of space in audit
40 partition.
41 A_SETCOND
45 Set the system's audit on/off condition to the value in the integer
47 pointed to by data. The Solaris Audit subsystem must be enabled by
48 bsmconv(1M) before auditing can be turned on. The following audit
49 states can be set:
50 AUC_AUDITING Turns on audit record generation.
52 AUC_NOAUDIT Turns off audit record generation.
55 A_GETCLASS
59 Return the event to class mapping for the designated audit event.
61 The data argument points to the au_evclass_map structure containing
62 the event number. The preselection class mask is returned in the
63 same structure.
64 A_SETCLASS
67 Set the event class preselection mask for the designated audit
69 event. The data argument points to the au_evclass_map structure
70 containing the event number and class mask.
71 A_GETKMASK
74 Return the kernel preselection mask in the au_mask structure
76 pointed to by data. This is the mask used to preselect non-attrib‐
77 utable audit events.
78 A_SETKMASK
81 Set the kernel preselection mask. The data argument points to the
83 au_mask structure containing the class mask. This is the mask used
84 to preselect non-attributable audit events.
85 A_GETPINFO
88 Return the audit ID, preselection mask, terminal ID and audit ses‐
90 sion ID of the specified process in the auditpinfo structure
91 pointed to by data.
92 Note that A_GETPINFO can fail if the termial ID contains a network
94 address longer than 32 bits. In this case, the A_GETPINFO_ADDR com‐
95 mand should be used.
96 A_GETPINFO_ADDR
99 Returns the audit ID, preselection mask, terminal ID and audit ses‐
101 sion ID of the specified process in the auditpinfo_addr structure
102 pointed to by data.
103 A_SETPMASK
106 Set the preselection mask of the specified process. The data argu‐
108 ment points to the auditpinfo structure containing the process ID
109 and the preselection mask. The other fields of the structure are
110 ignored and should be set to NULL.
111 A_SETUMASK
114 Set the preselection mask for all processes with the specified
116 audit ID. The data argument points to the auditinfo structure con‐
117 taining the audit ID and the preselection mask. The other fields of
118 the structure are ignored and should be set to NULL.
119 A_SETSMASK
122 Set the preselection mask for all processes with the specified
124 audit session ID. The data argument points to the auditinfo struc‐
125 ture containing the audit session ID and the preselection mask. The
126 other fields of the structure are ignored and should be set to
127 NULL.
128 A_GETQCTRL
131 Return the kernel audit queue control parameters. These control the
133 high and low water marks of the number of audit records allowed in
134 the audit queue. The high water mark is the maximum allowed number
135 of undelivered audit records. The low water mark determines when
136 threads blocked on the queue are wakened. Another parameter con‐
137 trols the size of the data buffer used to write data to the audit
138 trail. There is also a parameter that specifies a maximum delay
139 before data is attempted to be written to the audit trail. The
140 audit queue parameters are returned in the au_qctrl structure
141 pointed to by data.
142 A_SETQCTRL
145 Set the kernel audit queue control parameters as described above in
147 the A_GETQCTRL command. The data argument points to the au_qctrl
148 structure containing the audit queue control parameters. The
149 default and maximum values 'A/B' for the audit queue control param‐
150 eters are:
151 high water 100/10000 (audit records)
153 low water 10/1024 (audit records)
156 output buffer size 1024/1048576 (bytes)
159 delay 20/20000 (hundredths second)
162 A_GETCWD
166 Return the current working directory as kept by the audit subsys‐
168 tem. This is a path anchored on the real root, rather than on the
169 active root. The data argument points to a buffer into which the
170 path is copied. The length argument is the length of the buffer.
171 A_GETCAR
174 Return the current active root as kept by the audit subsystem. This
176 path can be used to anchor an absolute path for a path token gener‐
177 ated by an application. The data argument points to a buffer into
178 which the path is copied. The length argument is the length of the
179 buffer.
180 A_GETSTAT
183 Return the system audit statistics in the audit_stat structure
185 pointed to by data.
186 A_SETSTAT
189 Reset system audit statistics values. The kernel statistics value
191 is reset if the corresponding field in the statistics structure
192 pointed to by the data argument is CLEAR_VAL. Otherwise, the value
193 is not changed.
194 A_GETPOLICY
197 Return the audit policy flags in the integer pointed to by data.
199 A_SETPOLICY
202 Set the audit policy flags to the values in the integer pointed to
204 by data. The following policy flags are recognized:
205 AUDIT_CNT
207 Do not suspend processes when audit storage is full or inacces‐
209 sible. The default action is to suspend processes until storage
210 becomes available.
211 AUDIT_AHLT
214 Halt the machine when a non-attributable audit record can not
216 be delivered. The default action is to count the number of
217 events that could not be recorded.
218 AUDIT_ARGV
221 Include in the audit record the argument list for a member of
223 the exec(2) family of functions. The default action is not to
224 include this information.
225 AUDIT_ARGE
228 Include the environment variables for the execv(2) function in
230 the audit record. The default action is not to include this
231 information.
232 AUDIT_SEQ
235 Add a sequence token to each audit record. The default action
237 is not to include it.
238 AUDIT_TRAIL
241 Append a trailer token to each audit record. The default action
243 is not to include it.
244 AUDIT_GROUP
247 Include the supplementary groups list in audit records. The
249 default action is not to include it.
250 AUDIT_PATH
253 Include secondary paths in audit records. Examples of secondary
255 paths are dynamically loaded shared library modules and the
256 command shell path for executable scripts. The default action
257 is to include only the primary path from the system call.
258 AUDIT_WINDATA_DOWN
261 Include in an audit record any downgraded data moved between
263 windows. This policy is available only if the system is config‐
264 ured with Trusted Extensions. By default, this information is
265 not included.
266 AUDIT_WINDATA_UP
269 Include in an audit record any upgraded data moved between win‐
271 dows. This policy is available only if the system is configured
272 with Trusted Extensions. By default, this information is not
273 included.
274 AUDIT_PERZONE
277 Enable auditing for each local zone. If not set, audit records
279 from all zones are collected in a single log accessible in the
280 global zone and certain auditconfig(1M) operations are disal‐
281 lowed. This policy can be set only from the global zone.
282 AUDIT_ZONENAME
285 Generate a zone ID token with each audit record.
287
291 Upon successful completion, auditon() returns 0. Otherwise, −1 is
292 returned and errno is set to indicate the error.
293
295 The auditon() function will fail if:
296 E2BIG The length field for the command was too small to hold the
298 returned value.
299 EFAULT The copy of data to/from the kernel failed.
302 EINVAL One of the arguments was illegal, Solaris Audit has not been
305 installed, or the operation is not valid from a local zone.
306 EPERM The {PRIV_SYS_AUDIT} privilege is not asserted in the effec‐
309 tive set of the calling process.
310 Neither the {PRIV_PROC_AUDIT} nor the {PRIV_SYS_AUDIT} privi‐
312 lege is asserted in the effective set of the calling process
313 and the command is one of A_GETCAR, A_GETCLASS, A_GETCOND,
314 A_GETCWD, A_GETPINFO, A_GETPOLICY.
315
318 The auditon() function can be invoked only by processes with appropri‐
319 ate privileges.
320 The use of auditon() to change system audit state is permitted only in
323 the global zone. From any other zone auditon() returns −1 with errno
324 set to EPERM. The following auditon() commands are permitted only in
325 the global zone: A_SETCOND, A_SETCLASS, A_SETKMASK, A_SETQCTRL, A_SET‐
326 STAT, A_SETFSIZE, and A_SETPOLICY. All other auditon() commands are
327 valid from any zone.
328
330 See attributes(5) for descriptions of the following attributes:
331 ┌─────────────────────────────┬─────────────────────────────┐
336 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
337 ├─────────────────────────────┼─────────────────────────────┤
338 │Interface Stability │Committed │
339 ├─────────────────────────────┼─────────────────────────────┤
340 │MT-Level │MT-Safe │
341 └─────────────────────────────┴─────────────────────────────┘
342
344 auditconfig(1M), auditd(1M), bsmconv(1M), audit(2), exec(2),
345 audit.log(4), attributes(5), privileges(5)
346
348 The functionality described in this man page is available only if the
349 Solaris Auditing has been enabled. See bsmconv(1M) for more informa‐
350 tion.
351 The auditon options that modify or display process-based information
354 are not affected by the "perzone" audit policy. Those that modify sys‐
355 tem audit data such as the terminal ID and audit queue parameters are
356 valid only in the global zone unless the "perzone" policy is set. The
357 "get" options for system audit data reflect the local zone if "perzone"
358 is set; otherwise they reflects the settings of the global zone.
359SunOS 5.11 6 Apr 2009 auditon(2)