]> git.saurik.com Git - apple/xnu.git/blame - bsd/man/man2/auditon.2
xnu-1699.32.7.tar.gz
[apple/xnu.git] / bsd / man / man2 / auditon.2
CommitLineData
2d21ac55 1.\"
b0d623f7 2.\" Copyright (c) 2008-2009 Apple Inc. All rights reserved.
2d21ac55
A
3.\"
4.\" @APPLE_LICENSE_HEADER_START@
5.\"
6.\" This file contains Original Code and/or Modifications of Original Code
7.\" as defined in and that are subject to the Apple Public Source License
8.\" Version 2.0 (the 'License'). You may not use this file except in
9.\" compliance with the License. Please obtain a copy of the License at
10.\" http://www.opensource.apple.com/apsl/ and read it before using this
11.\" file.
12.\"
13.\" The Original Code and all software distributed under the License are
14.\" distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15.\" EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16.\" INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17.\" FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18.\" Please see the License for the specific language governing rights and
19.\" limitations under the License.
20.\"
21.\" @APPLE_LICENSE_HEADER_END@
22.\"
b0d623f7 23.Dd January 29, 2009
2d21ac55 24.Dt AUDITON 2
b0d623f7 25.Os
2d21ac55
A
26.Sh NAME
27.Nm auditon
b0d623f7 28.Nd "configure system audit parameters"
2d21ac55 29.Sh SYNOPSIS
b0d623f7 30.In bsm/audit.h
2d21ac55 31.Ft int
b0d623f7 32.Fn auditon "int cmd" "void *data" "u_int length"
2d21ac55
A
33.Sh DESCRIPTION
34The
35.Fn auditon
b0d623f7
A
36system call is used to manipulate various audit control operations.
37The
38.Fa data
39argument
40should point to a structure whose type depends on the command.
41The
42.Fa length
43argument
44specifies the size of
45.Fa *data
46in bytes.
47The
48.Fa cmd
49argument
50may be any of the following:
51.Bl -tag -width ".It Dv A_GETPINFO_ADDR"
52.It Dv A_SETPOLICY
53Set audit policy flags.
54The
55.Fa data
56argument
57must point to a
58.Vt int
59value set to one or more the following audit
60policy control values bitwise OR'ed together:
61.Dv AUDIT_CNT ,
62.Dv AUDIT_AHLT ,
63.Dv AUDIT_ARGV ,
64and
65.Dv AUDIT_ARGE .
66If
67.Dv AUDIT_CNT is set, the system will continue even if it becomes low
68on space and discontinue logging events until the low space condition is
69remedied.
70If it is not set, audited events will block until the low space
71condition is remedied.
72Unaudited events, however, are unaffected.
73If
74.Dv AUDIT_AHLT is set, a
75.Xr panic 9
76if it cannot write an event to the global audit log file.
77If
78.Dv AUDIT_ARGV
79is set, then the argument list passed to the
80.Xr execve 2
81system call will be audited. If
82.Dv AUDIT_ARGE
83is set, then the environment variables passed to the
84.Xr execve 2
85system call will be audited. The default policy is none of the audit policy
86control flags set.
87.It Dv A_SETKAUDIT
88Set the host information.
89The
90.Fa data
91argument
92must point to a
93.Vt auditinfo_addr_t
94structure containing the host IP address information.
95After setting, audit records
96that are created as a result of kernel events will contain
97this information.
98.It Dv A_SETKMASK
99Set the kernel preselection masks (success and failure).
100The
101.Fa data
102argument
103must point to a
104.Vt au_mask_t
105structure containing the mask values as defined in
106.In bsm/audit.h .
107These masks are used for non-attributable audit event preselection.
2d21ac55
A
108The field
109.Fa am_success
110specifies which classes of successful audit events are to be logged to the
111audit trail. The field
112.Fa am_failure
113specifies which classes of failed audit events are to be logged. The value of
b0d623f7 114both fields is the bitwise OR'ing of the audit event classes specified in
2d21ac55
A
115.Fa bsm/audit.h .
116The various audit classes are described more fully in
117.Xr audit_class 5 .
b0d623f7
A
118.It Dv A_SETQCTRL
119Set kernel audit queue parameters.
120The
121.Fa data
122argument
123must point to a
124.Vt au_qctrl_t
125structure (defined in
126.In bsm/audit.h )
127containing the kernel audit queue control settings:
128.Fa aq_hiwater ,
129.Fa aq_lowater ,
130.Fa aq_bufsz ,
131.Fa aq_delay ,
132and
133.Fa aq_minfree .
134The field
135.Fa aq_hiwater
136defines the maximum number of audit record entries in the queue used to store
137the audit records ready for delivery to disk.
138New records are inserted at the tail of the queue and removed from the head.
139For new records which would exceed the
140high water mark, the calling thread is inserted into the wait queue, waiting
141for the audit queue to have enough space available as defined with the field
142.Fa aq_lowater .
143The field
144.Fa aq_bufsz
145defines the maximum length of the audit record that can be supplied with
146.Xr audit 2 .
147The field
148.Fa aq_delay
149is unused.
150The field
151.Fa aq_minfree
152specifies the minimum amount of free blocks on the disk device used to store
153audit records.
154If the value of free blocks falls below the configured
155minimum amount, the kernel informs the audit daemon about low disk space.
156The value is to be specified in percent of free file system blocks.
157A value of 0 results in a disabling of the check.
158The default and maximum values (default/maximum) for the
159audit queue control parameters are:
160.Pp
161.Bl -column aq_hiwater -offset indent -compact
162.It aq_hiwater Ta 100/10000 (audit records)
163.It aq_lowater Ta 10/aq_hiwater (audit records)
164.It aq_bufsz Ta 32767/1048576 (bytes)
165.It aq_delay Ta (Not currently used.)
166.El
167.It Dv A_SETSTAT
168Return
169.Er ENOSYS .
170(Not implemented.)
171.It Dv A_SETUMASK
172Return
173.Er ENOSYS .
174(Not implemented.)
175.It Dv A_SETSMASK
176Return
177.Er ENOSYS .
178(Not implemented.)
179.It Dv A_SETCOND
180Set the current auditing condition.
181The
182.Fa data
183argument
184must point to a
185.Vt int
186value containing the new
187audit condition, one of
188.Dv AUC_AUDITING ,
189.Dv AUC_NOAUDIT ,
190or
191.Dv AUC_DISABLED .
192If
193.Dv AUC_NOAUDIT
194is set, then auditing is temporarily suspended. If
195.Dv AUC_AUDITING
196is set, auditing is resumed. If
197.Dv AUC_DISABLED
198is set, the auditing system will
199shutdown, draining all audit records and closing out the audit trail file.
200.It Dv A_SETCLASS
201Set the event class preselection mask for an audit event.
202The
203.Fa data
204argument
205must point to a
206.Vt au_evclass_map_t
207structure containing the audit event and mask.
208The field
209.Fa ec_number
210is the audit event and
211.Fa ec_class
212is the audit class mask. See
213.Xr audit_event 5
214for more information on audit event to class mapping.
215.It Dv A_SETPMASK
216Set the preselection masks for a process.
217The
218.Fa data
219argument
220must point to a
221.Vt auditpinfo_t
222structure that contains the given process's audit
223preselection masks for both success and failure.
224The field
225.Fa ap_pid
226is the process id of the target process.
227The field
228.Fa ap_mask
229must point to a
230.Fa au_mask_t
231structure which holds the preselection masks as described in the
232.Da A_SETKMASK
233section above.
234.It Dv A_SETFSIZE
235Set the maximum size of the audit log file.
236The
237.Fa data
238argument
239must point to a
240.Vt au_fstat_t
241structure with the
242.Va af_filesz
243field set to the maximum audit log file size.
244A value of 0
245indicates no limit to the size.
6d2010ae
A
246.It Dv A_SETSFLAGS
247Set the audit sessions flags for the current session.
248The
249.Fa data
250argument must point to an
251.Vt au_asflgs_t
252value containing the new audit session flags.
253Audit session flags may be updated only according to local
254access control policy.
b0d623f7
A
255.It Dv A_GETCLASS
256Return the event to class mapping for the designated audit event.
257The
258.Fa data
259argument
260must point to a
261.Vt au_evclass_map_t
262structure. See the
263.Dv A_SETCLASS
264section above for more information.
265.It Dv A_GETKAUDIT
266Get the current host information.
267The
268.Fa data
269argument
270must point to a
271.Vt auditinfo_addr_t
272structure.
273.It Dv A_GETPINFO
274Return the audit settings for a process.
275The
276.Fa data
277argument
278must point to a
279.Vt auditpinfo_t
280structure which will be set to contain
281.Fa ap_auid
282(the audit ID),
283.Fa ap_mask
284(the preselection mask),
285.Fa ap_termid
286(the terminal ID), and
287.Fa ap_asid
288(the audit session ID)
289of the given target process.
290The process ID of the target process is passed
291into the kernel using the
292.Fa ap_pid
293field.
294See the section
295.Dv A_SETPMASK
296above and
297.Xr getaudit 2
298for more information.
299.It Dv A_GETPINFO_ADDR
300Return the extended audit settings for a process.
301The
302.Fa data
303argument
304must point to a
305.Vt auditpinfo_addr_t
306structure which is similar to the
307.Vt auditpinfo_addr_t
308structure described above.
309The exception is the
310.Fa ap_termid
311(the terminal ID) field which points to a
312.Vt au_tid_addr_t
313structure can hold much a larger terminal address and an address type.
314The process ID of the target process is passed into the kernel using the
315.Fa ap_pid
316field.
317See the section
318.Dv A_SETPMASK
319above and
320.Xr getaudit 2
321for more information.
322.It Dv A_GETSINFO_ADDR
323Return the extended audit settings for a session.
324The
325.Fa data
326argument
327must point to a
328.Vt auditinfo_addr_t
329structure.
330The audit session ID of the target session is passed
331into the kernel using the
332.Fa ai_asid
333field. See
334.Xr getaudit_addr 2
335for more information about the
336.Vt auditinfo_addr_t
337structure.
338.It Dv A_GETKMASK
339Return the current kernel preselection masks.
340The
341.Fa data
342argument
343must point to a
344.Vt au_mask_t
345structure which will be set to
346the current kernel preselection masks for non-attributable events.
347.It Dv A_GETPOLICY
348Return the current audit policy setting.
349The
350.Fa data
351argument
352must point to a
353.Vt int
354value which will be set to
355one of the current audit policy flags.
356The audit policy flags are
357described in the
358.Dv A_SETPOLICY
359section above.
360.It Dv A_GETQCTRL
361Return the current kernel audit queue control parameters.
362The
363.Fa data
364argument
365must point to a
366.Vt au_qctrl_t
367structure which will be set to the current
368kernel audit queue control parameters.
369See the
370.Dv A_SETQCTL
371section above for more information.
372.It Dv A_GETFSIZE
373Returns the maximum size of the audit log file.
374The
375.Fa data
376argument
377must point to a
378.Vt au_fstat_t
379structure.
380The
381.Va af_filesz
382field will be set to the maximum audit log file size.
383A value of 0 indicates no limit to the size.
384The
385.Va af_currsz
386field
387will be set to the current audit log file size.
6d2010ae
A
388.It Dv A_GETSFLAGS
389Returns the audit session flags for the current session.
390The
391.Fa data
392argument must point to an
393.Vt au_asflgs_t
394value which will be set with the current session flags.
b0d623f7
A
395.It Dv A_GETCWD
396.\" [COMMENTED OUT]: Valid description, not yet implemented.
397.\" Return the current working directory as stored in the audit subsystem.
398Return
399.Er ENOSYS .
400(Not implemented.)
401.It Dv A_GETCAR
402.\" [COMMENTED OUT]: Valid description, not yet implemented.
403.\"Stores and returns the current active root as stored in the audit
404.\"subsystem.
405Return
406.Er ENOSYS .
407(Not implemented.)
408.It Dv A_GETSTAT
409.\" [COMMENTED OUT]: Valid description, not yet implemented.
410.\"Return the statistics stored in the audit system.
411Return
412.Er ENOSYS .
413(Not implemented.)
414.It Dv A_GETCOND
415Return the current auditing condition.
416The
417.Fa data
418argument
419must point to a
420.Vt int
421value which will be set to
422the current audit condition, one of
423.Dv AUC_AUDITING ,
424.Dv AUC_NOAUDIT
425or
426.Dv AUC_DISABLED .
427See the
428.Dv A_SETCOND
429section above for more information.
430.It Dv A_SENDTRIGGER
431Send a trigger to the audit daemon.
432The
433.Fa data
434argument
435must point to a
436.Vt int
437value set to one of the acceptable
438trigger values:
439.Dv AUDIT_TRIGGER_LOW_SPACE
440(low disk space where the audit log resides),
441.Dv AUDIT_TRIGGER_OPEN_NEW
442(open a new audit log file),
443.Dv AUDIT_TRIGGER_READ_FILE
444(read the
445.Pa audit_control
446file),
447.Dv AUDIT_TRIGGER_CLOSE_AND_DIE
448(close the current log file and exit),
449.Dv AUDIT_TRIGGER_NO_SPACE
450(no disk space left for audit log file).
451.Dv AUDIT_TRIGGER_ROTATE_USER
452(request audit log file rotation).
453.Dv AUDIT_TRIGGER_INITIALIZE
454(initialize audit subsystem for Mac OS X only).
455or
456.Dv AUDIT_TRIGGER_EXPIRE_TRAILS
457(request audit log file expiration).
2d21ac55
A
458.El
459.Sh RETURN VALUES
b0d623f7 460.Rv -std
2d21ac55 461.Sh ERRORS
b0d623f7 462The
2d21ac55 463.Fn auditon
b0d623f7
A
464function will fail if:
465.Bl -tag -width Er
466.It Bq Er ENOSYS
467Returned by options not yet implemented.
468.It Bq Er EFAULT
469A failure occurred while data transferred to or from
470the kernel failed.
2d21ac55 471.It Bq Er EINVAL
b0d623f7
A
472Illegal argument was passed by a system call.
473.It Bq Er EPERM
474The process does not have sufficient permission to complete
475the operation.
2d21ac55 476.El
b0d623f7
A
477.Pp
478The
479.Dv A_SENDTRIGGER
480command is specific to the
481.Fx
482and Mac OS X implementations, and is not present in Solaris.
2d21ac55
A
483.Sh SEE ALSO
484.Xr audit 2 ,
485.Xr auditctl 2 ,
2d21ac55 486.Xr getaudit 2 ,
2d21ac55 487.Xr getaudit_addr 2 ,
b0d623f7
A
488.Xr getauid 2 ,
489.Xr setaudit 2 ,
2d21ac55 490.Xr setaudit_addr 2 ,
b0d623f7
A
491.Xr setauid 2 ,
492.Xr libbsm 3
2d21ac55 493.Sh HISTORY
b0d623f7
A
494The OpenBSM implementation was created by McAfee Research, the security
495division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
496It was subsequently adopted by the TrustedBSD Project as the foundation for
497the OpenBSM distribution.
498.Sh AUTHORS
499.An -nosplit
500This software was created by McAfee Research, the security research division
501of McAfee, Inc., under contract to Apple Computer Inc.
502Additional authors include
503.An Wayne Salamon ,
504.An Robert Watson ,
505and SPARTA Inc.
506.Pp
507The Basic Security Module (BSM) interface to audit records and audit event
508stream format were defined by Sun Microsystems.
509.Pp
510This manual page was written by
511.An Tom Rhodes Aq trhodes@FreeBSD.org ,
512.An Robert Watson Aq rwatson@FreeBSD.org ,
513and
514.An Wayne Salamon Aq wsalamon@FreeBSD.org .