#include <bsm/audit.h> int
auditon (int cmd void *data u_int length);
DESCRIPTION
The
auditon ();
system call is used to manipulate various audit control operations.
The
Fa data
argument
should point to a structure whose type depends on the command.
The
Fa length
argument
specifies the size of
Fa *data
in bytes.
The
Fa cmd
argument
may be any of the following:
A_SETPOLICY
Set audit policy flags.
The
Fa data
argument
must point to a
Vt long
value set to one of the audit
policy control values defined in
In bsm/audit.h .
Currently, only
AUDIT_CNT
and
AUDIT_AHLT
are implemented.
#include <the> AUDIT_CNT
case, the action will continue regardless if
an event will not be audited.
#include <the> AUDIT_AHLT
case, a
panic(9)
will result if an event will not be written to the
audit log file.
A_SETKAUDIT
Return
Er ENOSYS .
A_SETKMASK
Set the kernel preselection masks (success and failure).
The
Fa data
argument
must point to a
Vt au_mask_t
structure containing the mask values.
These masks are used for non-attributable audit event preselection.
A_SETQCTRL
Set kernel audit queue parameters.
The
Fa data
argument
must point to a
Vt au_qctrl_t
structure containing the
kernel audit queue control settings:
``high water''
``low water''
``output buffer size''
``percent min free disk space''
and
``delay''
(not currently used).
A_SETSTAT
Return
Er ENOSYS .
A_SETUMASK
Return
Er ENOSYS .
A_SETSMASK
Return
Er ENOSYS .
A_SETCOND
Set the current auditing condition.
The
Fa data
argument
must point to a
Vt long
value containing the new
audit condition, one of
AUC_AUDITINGAUC_NOAUDIT
or
AUC_DISABLED
A_SETCLASS
Set the event class preselection mask for an audit event.
The
Fa data
argument
must point to a
Vt au_evclass_map_t
structure containing the audit event and mask.
A_SETPMASK
Set the preselection masks for a process.
The
Fa data
argument
must point to a
Vt auditpinfo_t
structure that contains the given process's audit
preselection masks for both success and failure.
A_SETFSIZE
Set the maximum size of the audit log file.
The
Fa data
argument
must point to a
Vt au_fstat_t
structure with the
af_filesz
field set to the maximum audit log file size.
A value of 0
indicates no limit to the size.
A_SETKAUDIT
Return
Er ENOSYS .
A_GETCLASS
Return the event to class mapping for the designated audit event.
The
Fa data
argument
must point to a
Vt au_evclass_map_t
structure.
A_GETKAUDIT
Return
Er ENOSYS .
A_GETPINFO
Return the audit settings for a process.
The
Fa data
argument
must point to a
Vt auditpinfo_t
structure which will be set to contain
the audit ID, preselection mask, terminal ID, and audit session
ID of the given process.
A_GETPINFO_ADDR
Return
Er ENOSYS .
A_GETKMASK
Return the current kernel preselection masks.
The
Fa data
argument
must point to a
Vt au_mask_t
structure which will be set to
the current kernel preselection masks for non-attributable events.
A_GETPOLICY
Return the current audit policy setting.
The
Fa data
argument
must point to a
Vt long
value which will be set to
one of the current audit policy flags.
Currently, only
AUDIT_CNT
and
AUDIT_AHLT
are implemented.
A_GETQCTRL
Return the current kernel audit queue control parameters.
The
Fa data
argument
must point to a
Vt au_qctrl_t
structure which will be set to the current
kernel audit queue control parameters.
A_GETFSIZE
Returns the maximum size of the audit log file.
The
Fa data
argument
must point to a
Vt au_fstat_t
structure.
The
af_filesz
field will be set to the maximum audit log file size.
A value of 0 indicates no limit to the size.
The
af_currsz
field
will be set to the current audit log file size.
A_GETCWD
Return
Er ENOSYS .
A_GETCAR
Return
Er ENOSYS .
A_GETSTAT
Return
Er ENOSYS .
A_GETCOND
Return the current auditing condition.
The
Fa data
argument
must point to a
Vt long
value which will be set to
the current audit condition, either
AUC_AUDITING
or
AUC_NOAUDIT
A_SENDTRIGGER
Send a trigger to the audit daemon.
The
Fa data
argument
must point to a
Vt long
value set to one of the acceptable
trigger values:
AUDIT_TRIGGER_LOW_SPACE
(low disk space where the audit log resides),
AUDIT_TRIGGER_OPEN_NEW
(open a new audit log file),
AUDIT_TRIGGER_READ_FILE
(read the
audit_control
file),
AUDIT_TRIGGER_CLOSE_AND_DIE
(close the current log file and exit),
or
AUDIT_TRIGGER_NO_SPACE
(no disk space left for audit log file).
RETURN VALUES
Rv -std
ERRORS
The
auditon ();
function will fail if:
Bq Er ENOSYS
Returned by options not yet implemented.
Bq Er EFAULT
A failure occurred while data transferred to or from
the kernel failed.
Bq Er EINVAL
Illegal argument was passed by a system call.
Bq Er EPERM
The process does not have sufficient permission to complete
the operation.
The
A_SENDTRIGGER
command is specific to the
Fx and Mac OS X implementations, and is not present in Solaris.
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
AUTHORS
An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
Additional authors include
An Wayne Salamon ,
An Robert Watson ,
and SPARTA Inc.
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
