System Calls auditon(2)
NAME
auditon - manipulate auditing
SYNOPSIS
cc [ flag... ] file... -lbsm -lsocket -lnsl [ library... ]
#include
#include
int auditon(int cmd, caddrt data, int length);
DESCRIPTION
The auditon() function performs various audit subsystem con-
trol operations. The cmd argument designates the particular
audit control command. The data argument is a pointer to
command-specific data. The length argument is the length in
bytes of the command-specific data.
The following commands are supported:
AGETCOND
Return the system audit on/off/disabled condition in the
integer pointed to by data. The following values can be
returned:
AUCAUDITING Auditing has been turned on.
AUCDISABLED Auditing system has not been enabled.
AUCNOAUDIT Auditing has been turned off.
AUCNOSPACE Auditing has blocked due to lack of
space in audit partition.
ASETCOND
Set the system's audit on/off condition to the value in
the integer pointed to by data. The BSM audit module
must be enabled by bsmconv(1M) before auditing can be
turned on. The following audit states can be set:
AUCAUDITING Turns on audit record generation.
SunOS 5.11 Last change: 20 May 2008 1
System Calls auditon(2)
AUCNOAUDIT Turns off audit record generation.
AGETCLAS
Return the event to class mapping for the designated
audit event. The data argument points to the
auevclassmap structure containing the event number.
The preselection class mask is returned in the same
structure.
ASETCLAS
Set the event class preselection mask for the designated
audit event. The data argument points to the
auevclassmap structure containing the event number and
class mask.
AGETKMASK
Return the kernel preselection mask in the aumask
structure pointed to by data. This is the mask used to
preselect non-attributable audit events.
ASETKMASK
Set the kernel preselection mask. The data argument
points to the aumask structure containing the class
mask. This is the mask used to preselect non-
attributable audit events.
AGETPINFO
Return the audit ID, preselection mask, terminal ID and
audit session ID of the specified process in the audit-
pinfo structure pointed to by data.
Note that AGETPINFO can fail if the termial ID contains
a network address longer than 32 bits. In this case, the
AGETPINFOADR command should be used.
AGETPINFOADR
Returns the audit ID, preselection mask, terminal ID and
audit session ID of the specified process in the
auditpinfoaddr structure pointed to by data.
SunOS 5.11 Last change: 20 May 2008 2
System Calls auditon(2)
ASETPMASK
Set the preselection mask of the specified process. The
data argument points to the auditpinfo structure con-
taining the process ID and the preselection mask. The
other fields of the structure are ignored and should be
set to NUL.
ASETUMASK
Set the preselection mask for all processes with the
specified audit ID. The data argument points to the
auditinfo structure containing the audit ID and the
preselection mask. The other fields of the structure are
ignored and should be set to NUL.
ASETSMASK
Set the preselection mask for all processes with the
specified audit session ID. The data argument points to
the auditinfo structure containing the audit session ID
and the preselection mask. The other fields of the
structure are ignored and should be set to NUL.
AGETQCTRL
Return the kernel audit queue control parameters. These
control the high and low water marks of the number of
audit records allowed in the audit queue. The high water
mark is the maximum allowed number of undelivered audit
records. The low water mark determines when threads
blocked on the queue are wakened. Another parameter con-
trols the size of the data buffer used to write data to
the audit trail. There is also a parameter that speci-
fies a maximum delay before data is attempted to be
written to the audit trail. The audit queue parameters
are returned in the auqctrl structure pointed to by
data.
ASETQCTRL
Set the kernel audit queue control parameters as
described above in the AGETQCTRL command. The data
argument points to the auqctrl structure containing the
audit queue control parameters. The default and maximum
values 'A/B' for the audit queue control parameters are:
SunOS 5.11 Last change: 20 May 2008 3
System Calls auditon(2)
high water 100/10000 (audit records)
low water 10/1024 (audit records)
output buffer size 1024/1048576 (bytes)
delay 20/20000 (hundredths second)
AGETCWD
Return the current working directory as kept by the
audit subsystem. This is a path anchored on the real
root, rather than on the active root. The data argument
points to a buffer into which the path is copied. The
length argument is the length of the buffer.
AGETCAR
Return the current active root as kept by the audit sub-
system. This path can be used to anchor an absolute path
for a path token generated by an application. The data
argument points to a buffer into which the path is
copied. The length argument is the length of the buffer.
AGETSTAT
Return the system audit statistics in the auditstat
structure pointed to by data.
ASETSTAT
Reset system audit statistics values. The kernel statis-
tics value is reset if the corresponding field in the
statistics structure pointed to by the data argument is
CLEARVAL. Otherwise, the value is not changed.
AGETPOLICY
Return the audit policy flags in the integer pointed to
by data.
SunOS 5.11 Last change: 20 May 2008 4
System Calls auditon(2)
ASETPOLICY
Set the audit policy flags to the values in the integer
pointed to by data. The following policy flags are
recognized:
AUDITCNT
Do not suspend processes when audit storage is full
or inaccessible. The default action is to suspend
processes until storage becomes available.
AUDITAHLT
Halt the machine when a non-attributable audit
record can not be delivered. The default action is
to count the number of events that could not be
recorded.
AUDITARGV
Include in the audit record the argument list for a
member of the exec(2) family of functions. The
default action is not to include this information.
AUDITARGE
Include the environment variables for the execv(2)
function in the audit record. The default action is
not to include this information.
AUDITSEQ
Add a sequence token to each audit record. The
default action is not to include it.
AUDITRAIL
Append a trailer token to each audit record. The
default action is not to include it.
AUDITGROUP
Include the supplementary groups list in audit
records. The default action is not to include it.
SunOS 5.11 Last change: 20 May 2008 5
System Calls auditon(2)
AUDITPATH
Include secondary paths in audit records. Examples
of secondary paths are dynamically loaded shared
library modules and the command shell path for exe-
cutable scripts. The default action is to include
only the primary path from the system call.
AUDITWINDATADOWN
Include in an audit record any downgraded data moved
between windows. This policy is available only if
the system is configured with Trusted Extensions. By
default, this information is not included.
AUDITWINDATAUP
Include in an audit record any upgraded data moved
between windows. This policy is available only if
the system is configured with Trusted Extensions. By
default, this information is not included.
AUDITPERZONE
Enable auditing for each local zone. If not set,
audit records from all zones are collected in a sin-
gle log accessible in the global zone and certain
auditconfig(1M) operations are disallowed. This pol-
icy can be set only from the global zone.
AUDITZONENAME
Generate a zone ID token with each audit record.
RETURN VALUES
Upon successful completion, auditon() returns 0. Otherwise,
-1 is returned and errno is set to indicate the error.
ERORS
The auditon() function will fail if:
E2BIG The length field for the command was too small to
hold the returned value.
SunOS 5.11 Last change: 20 May 2008 6
System Calls auditon(2)
EFAULT The copy of data to/from the kernel failed.
EINVAL One of the arguments was illegal, BSM has not been
installed, or the operation is not valid from a
local zone.
EPERM The {PRIVSYSAUDIT} privilege is not asserted in
the effective set of the calling process.
Neither the {PRIVPROCAUDIT} nor the
{PRIVSYSAUDIT} privilege is asserted in the
effective set of the calling process and the com-
mand is one of AGETCAR, AGETCLAS, AGETCOND,
AGETCWD, AGETPINFO, AGETPOLICY.
USAGE
The auditon() function can be invoked only by processes with
appropriate privileges.
The use of auditon() to change system audit state is permit-
ted only in the global zone. From any other zone auditon()
returns -1 with errno set to EPERM. The following auditon()
commands are permitted only in the global zone: ASETCOND,
ASETCLAS, ASETKMASK, ASETQCTRL, ASETSTAT, ASETFSIZE,
and ASETPOLICY. All other auditon() commands are valid from
any zone.
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Interface Stability Committed
MT-Level MT-Safe
SEE ALSO
auditconfig(1M), auditd(1M), bsmconv(1M), audit(2), exec(2),
audit.log(4), attributes(5), privileges(5)
NOTES
SunOS 5.11 Last change: 20 May 2008 7
System Calls auditon(2)
The functionality described in this man page is available
only if the Solaris Auditing has been enabled. See
bsmconv(1M) for more information.
The auditon options that modify or display process-based
information are not affected by the "perzone" audit policy.
Those that modify system audit data such as the terminal ID
and audit queue parameters are valid only in the global zone
unless the "perzone" policy is set. The "get" options for
system audit data reflect the local zone if "perzone" is
set; otherwise they reflects the settings of the global
zone.
SunOS 5.11 Last change: 20 May 2008 8
|
