System Administration Commands auditconfig(1M)
NAME
auditconfig - configure auditing
SYNOPSIS
auditconfig option...
DESCRIPTION
auditconfig provides a command line interface to get and set
kernel audit parameters.
This functionality is available only if the Solaris Auditing
feature has been enabled. See bsmconv(1M) for more informa-
tion.
The setting of the perzone policy determines the scope of
the audit setting controlled by auditconfig. If perzone is
set, then the values reflect the local zone except as noted.
Otherwise, the settings are for the entire system. Any res-
triction based on the perzone setting is noted for each
option to which it applies.
A non-global zone administrator can set all audit policy
options except perzone and ahlt. perzone and ahlt apply only
to the global zone; setting these policies requires the
privileges of a global zone administrator. perzone and ahlt
are described under the -setpolicy option, below.
OPTIONS
-aconf
Set the non-attributable audit mask from the
auditcontrol(4) file. For example:
# auditconfig -aconf
Configured non-attributable events.
-audit event sorf retval string
This command constructs an audit record for audit event
event using the process's audit characteristics contain-
ing a text token string. The return token is constructed
from the sorf (success/failure flag) and the retval
(return value). The event is type char*, the sorf is 0/1
for success/failure, retval is an errno value, string is
type *char. This command is useful for constructing an
SunOS 5.11 Last change: 9 Jan 2009 1
System Administration Commands auditconfig(1M)
audit record with a shell script. An example of this
option:
# auditconfig -audit AUEftpd 0 0 "test string"
#
audit record from audit trail:
header,76,2,ftp access,,Fri Dec 08 08:44:02 2000, ] 669 msec
subject,abc,root,other,root,other,104449,102336,235 197121 elbow
text,test string
return,success,0
-chkaconf
Checks the configuration of the non-attributable events
set in the kernel against the entries in
auditcontrol(4). If the runtime class mask of a kernel
audit event does not match the configured class mask, a
mismatch is reported.
-chkconf
Check the configuration of kernel audit event to class
mappings. If the runtime class mask of a kernel audit
event does not match the configured class mask, a
mismatch is reported.
-conf
Configure kernel audit event to class mappings. Runtime
class mappings are changed to match those in the audit
event to class database file.
-getasid
Prints the audit session ID of the current process. For
example:
# auditconfig -getasid
audit session id = 102336
-getaudit
SunOS 5.11 Last change: 9 Jan 2009 2
System Administration Commands auditconfig(1M)
Returns the audit characteristics of the current pro-
cess.
# auditconfig -getaudit
audit id = abc(666)
process preselection mask = lo(0x1000,0x1000)
terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77)
audit session id = 102336
-getauid
Prints the audit ID of the current process. For example:
# auditconfig -getauid
audit id = abc(666)
-getcar
Prints current active root location (anchored from root
[or local zone root] at system boot). For example:
# auditconfig -getcar
current active root = /
-getclass event
Display the preselection mask associated with the speci-
fied kernel audit event. event is the kernel event
number or event name.
-getcond
Display the kernel audit condition. The condition
displayed is the literal string auditing meaning audit-
ing is enabled and turned on (the kernel audit module is
constructing and queuing audit records); noaudit, mean-
ing auditing is enabled but turned off (the kernel audit
module is not constructing and queuing audit records);
disabled, meaning that the audit module has not been
enabled; or nospace, meaning there is no space for sav-
ing audit records. See auditon(2) and auditd(1M) for
further information.
SunOS 5.11 Last change: 9 Jan 2009 3
System Administration Commands auditconfig(1M)
-getestate event
For the specified event (string or event number), print
out classes event has been assigned. For example:
# auditconfig -getestate 20
audit class mask for event AUEREBOT(20) = 0x800
# auditconfig -getestate AUERENAME
audit class mask for event AUERENAME(42) = 0x30
-getkaudit
Get audit characteristics of the current zone. For exam-
ple:
# auditconfig -getkaudit
audit id = unknown(-2)
process preselection mask = lo,na(0x1400,0x1400)
terminal id (maj,min,host) = 0,0,(0.0.0.0)
audit session id = 0
If the audit policy perzone is not set, the terminal id
is that of the global zone. Otherwise, it is the termi-
nal id of the local zone.
-getkmask
Get non-attributable pre-selection mask for the current
zone. For example:
# auditconfig -getkmask
audit flags for non-attributable events = lo,na(0x1400,0x1400)
If the audit policy perzone is not set, the kernel mask
is that of the global zone. Otherwise, it is that of the
local zone.
-getpinfo pid
Display the audit ID, preselection mask, terminal ID,
and audit session ID for the specified process.
-getpolicy
SunOS 5.11 Last change: 9 Jan 2009 4
System Administration Commands auditconfig(1M)
Display the kernel audit policy. The ahlt and perzone
policies reflect the settings from the global zone. If
perzone is set, all other policies reflect the local
zone's settings. If perzone is not set, the policies are
machine-wide.
-getcwd
Prints current working directory (anchored from zone
root at system boot). For example:
# cd /usr/tmp
# auditconfig -getcwd
current working directory = /var/tmp
-getqbufsz
Get audit queue write buffer size. For example:
# auditconfig -getqbufsz
audit queue buffer size (bytes) = 1024
-getqctrl
Get audit queue write buffer size, audit queue hiwater
mark, audit queue lowater mark, audit queue prod inter-
val (ticks).
# auditconfig -getqctrl
audit queue hiwater mark (records) = 100
audit queue lowater mark (records) = 10
audit queue buffer size (bytes) = 1024
audit queue delay (ticks) = 20
-getqdelay
Get interval at which audit queue is prodded to start
output. For example:
# auditconfig -getqdelay
audit queue delay (ticks) = 20
SunOS 5.11 Last change: 9 Jan 2009 5
System Administration Commands auditconfig(1M)
-getqhiwater
Get high water point in undelivered audit records when
audit generation will block. For example:
# ./auditconfig -getqhiwater
audit queue hiwater mark (records) = 100
-getqlowater
Get low water point in undelivered audit records where
blocked processes will resume. For example:
# auditconfig -getqlowater
audit queue lowater mark (records) = 10
-getstat
Print current audit statistics information. For example:
# auditconfig -getstat
gen nona kern aud ctl enq wrtn wblk rblk drop tot mem
910 1 725 184 0 910 910 0 231 0 88 48
See auditstat(1M) for a description of the headings in
-getstat output.
-gettid
Print audit terminal ID for current process. For exam-
ple:
# auditconfig -gettid
terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77)
-lsevent
Display the currently configured (runtime) kernel and
user level audit event information.
SunOS 5.11 Last change: 9 Jan 2009 6
System Administration Commands auditconfig(1M)
-lspolicy
Display the kernel audit policies with a description of
each policy.
-setasid session-ID [cmd]
Execute shell or cmd with specified session-ID. For
example:
# ./auditconfig -setasid 2000 /bin/ksh
#
# ./auditconfig -getpinfo 104485
audit id = abc(666)
process preselection mask = lo(0x1000,0x1000)
terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77)
audit session id = 2000
-setaudit audit-ID preselectflags term-ID session-ID [cmd]
Execute shell or cmd with the specified audit charac-
teristics.
-setauid audit-ID [cmd]
Execute shell or cmd with the specified audit-ID.
-setclass event auditflag[,auditflag ...]
Map the kernel event event to the classes specified by
auditflags. event is an event number or name. An
auditflag is a two character string representing an
audit class. See auditcontrol(4) for further informa-
tion. If perzone is not set, this option is valid only
in the global zone.
-setkaudit IP-addresstype IPaddress
Set IP address of machine to specified values. IP-
addresstype is ipv6 or ipv4.
If perzone is not set, this option is valid only in the
global zone.
SunOS 5.11 Last change: 9 Jan 2009 7
System Administration Commands auditconfig(1M)
-setkmask auditflags
Set non-attributes selection flags of machine.
If perzone is not set, this option is valid only in the
global zone.
-setpmask pid flags
Set the preselection mask of the specified process.
flags is the ASCI representation of the flags similar
to that in auditcontrol(4).
If perzone is not set, this option is valid only in the
global zone.
-setpolicy []-]policyflag[,policyflag ...]
Set the kernel audit policy. A policy policyflag is
literal strings that denotes an audit policy. A prefix
of ] adds the policies specified to the current audit
policies. A prefix of - removes the policies specified
from the current audit policies. No policies can be set
from a local zone unless the perzone policy is first set
from the global zone. The following are the valid policy
flag strings (auditconfig -lspolicy also lists the
current valid audit policy flag strings):
all Include all policies that apply to the
current zone.
ahlt Halt the machine if an asynchronous
audit event occurs that cannot be
delivered because the audit queue has
reached the high-water mark or because
there are insufficient resources to con-
struct an audit record. By default,
records are dropped and a count is kept
of the number of dropped records.
arge Include the execv(2) system call
environment arguments to the audit
record. This information is not included
by default.
argv Include the execv(2) system call parame-
ter arguments to the audit record. This
SunOS 5.11 Last change: 9 Jan 2009 8
System Administration Commands auditconfig(1M)
information is not included by default.
cnt Do not suspend processes when audit
resources are exhausted. Instead, drop
audit records and keep a count of the
number of records dropped. By default,
process are suspended until audit
resources become available.
group Include the supplementary group token in
audit records. By default, the group
token is not included.
none Include no policies. If used in other
than the global zone, the ahlt and per-
zone policies are not changed.
path Add secondary path tokens to audit
record. These are typically the path-
names of dynamically linked shared
libraries or command interpreters for
shell scripts. By default, they are not
included.
perzone Maintain separate configuration, queues,
and logs for each zone and execute a
separate version of auditd(1M) for each
zone.
public Audit public files. By default, read-
type operations are not audited for cer-
tain files which meet public charac-
teristics: owned by root, readable by
all, and not writable by all.
trail Include the trailer token in every audit
record. By default, the trailer token is
not included.
seq Include the sequence token as part of
every audit record. By default, the
sequence token is not included. The
sequence token attaches a sequence
number to every audit record.
SunOS 5.11 Last change: 9 Jan 2009 9
System Administration Commands auditconfig(1M)
windatadown Include in an audit record any down-
graded data moved between windows. This
policy is available only if the system
is configured with Trusted Extensions.
By default, this information is not
included.
windataup Include in an audit record any upgraded
data moved between windows. This policy
is available only if the system is con-
figured with Trusted Extensions. By
default, this information is not
included.
zonename Include the zonename token as part of
every audit record. By default, the
zonename token is not included. The
zonename token gives the name of the
zone from which the audit record was
generated.
-setqbufsz buffersize
Set the audit queue write buffer size (bytes).
-setqctrl hiwater lowater bufsz interval
Set the audit queue write buffer size (bytes), hiwater
audit record count, lowater audit record count, and
wakeup interval (ticks). Valid within a local zone only
if perzone is set.
-setqdelay interval
Set the audit queue wakeup interval (ticks). This deter-
mines the interval at which the kernel pokes the audit
queue, to write audit records to the audit trail. Valid
within a local zone only if perzone is set.
-setqhiwater hiwater
Set the number of undelivered audit records in the audit
queue at which audit record generation blocks. Valid
within a local zone only if perzone is set.
SunOS 5.11 Last change: 9 Jan 2009 10
System Administration Commands auditconfig(1M)
-setqlowater lowater
Set the number of undelivered audit records in the audit
queue at which blocked auditing processes unblock. Valid
within a local zone only if perzone is set.
-setsmask asid flags
Set the preselection mask of all processes with the
specified audit session ID. Valid within a local zone
only if perzone is set.
-setstat
Reset audit statistics counters. Valid within a local
zone only if perzone is set.
-setumask auid flags
Set the preselection mask of all processes with the
specified audit ID. Valid within a local zone only if
perzone is set.
EXAMPLES
Example 1 Using auditconfig
The following is an example of an auditconfig program:
#
# map kernel audit event number 10 to the "fr" audit class
#
% auditconfig -setclass 10 fr
#
# turn on inclusion of exec arguments in exec audit records
#
% auditconfig -setpolicy ]argv
EXIT STATUS
0 Successful completion.
1 An error occurred.
SunOS 5.11 Last change: 9 Jan 2009 11
System Administration Commands auditconfig(1M)
FILES
/etc/security/auditevent Stores event definitions used
in the audit system.
/etc/security/auditclass Stores class definitions used
in the audit system.
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWcsu
Interface Stability Committed
SEE ALSO
audit(1M), auditd(1M), auditstat(1M), bsmconv(1M),
praudit(1M), auditon(2), execv(2), auditclass(4),
auditcontrol(4), auditevent(4), attributes(5),
auditbinfile(5)
See the section on Solaris Auditing in System Administration
Guide: Security Services.
NOTES
If plugin output is selected using auditcontrol(4), the
behavior of the system with respect to the -setpolicy ]cnt
and the -setqhiwater options is modified slightly. If -set-
policy ]cnt is set, data will continue to be sent to the
selected plugin, even though output to the binary audit log
is stopped, pending the freeing of disk space. If -setpolicy
-cnt is used, the blocking behavior is as described under
OPTIONS, above. The value set for the queue high water mark
is used within auditd as the default value for its queue
limits unless overridden by means of the qsize attribute as
described in auditcontrol(4).
The auditconfig options that modify or display process-based
information are not affected by the perzone policy. Those
that modify system audit data such as the terminal id and
audit queue parameters are valid only in the global zone,
SunOS 5.11 Last change: 9 Jan 2009 12
System Administration Commands auditconfig(1M)
unless the perzone policy is set. The display of a system
audit reflects the local zone if perzone is set. Otherwise,
it reflects the settings of the global zone.
The -setcond option has been removed. Use audit(1M) to
enable or disable auditing.
The -getfsize and -setfsize options have been removed. Use
auditbinfile(5) pfsize to set the audit file size.
SunOS 5.11 Last change: 9 Jan 2009 13
|
