2 .\" Copyright (c) 2008-2009 Apple Inc. All rights reserved.
4 .\" @APPLE_LICENSE_HEADER_START@
6 .\" This file contains Original Code and/or Modifications of Original Code
7 .\" as defined in and that are subject to the Apple Public Source License
8 .\" Version 2.0 (the 'License'). You may not use this file except in
9 .\" compliance with the License. Please obtain a copy of the License at
10 .\" http://www.opensource.apple.com/apsl/ and read it before using this
13 .\" The Original Code and all software distributed under the License are
14 .\" distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 .\" EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 .\" INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 .\" FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 .\" Please see the License for the specific language governing rights and
19 .\" limitations under the License.
21 .\" @APPLE_LICENSE_HEADER_END@
28 .Nd "configure system audit parameters"
32 .Fn auditon "int cmd" "void *data" "u_int length"
36 system call is used to manipulate various audit control operations.
40 should point to a structure whose type depends on the command.
50 may be any of the following:
51 .Bl -tag -width ".It Dv A_GETPINFO_ADDR"
53 Set audit policy flags.
59 value set to one or more the following audit
60 policy control values bitwise OR'ed together:
67 .Dv AUDIT_CNT is set, the system will continue even if it becomes low
68 on space and discontinue logging events until the low space condition is
70 If it is not set, audited events will block until the low space
71 condition is remedied.
72 Unaudited events, however, are unaffected.
74 .Dv AUDIT_AHLT is set, a
76 if it cannot write an event to the global audit log file.
79 is set, then the argument list passed to the
81 system call will be audited. If
83 is set, then the environment variables passed to the
85 system call will be audited. The default policy is none of the audit policy
88 Set the host information.
94 structure containing the host IP address information.
95 After setting, audit records
96 that are created as a result of kernel events will contain
99 Set the kernel preselection masks (success and failure).
105 structure containing the mask values as defined in
107 These masks are used for non-attributable audit event preselection.
110 specifies which classes of successful audit events are to be logged to the
111 audit trail. The field
113 specifies which classes of failed audit events are to be logged. The value of
114 both fields is the bitwise OR'ing of the audit event classes specified in
116 The various audit classes are described more fully in
119 Set kernel audit queue parameters.
125 structure (defined in
127 containing the kernel audit queue control settings:
136 defines the maximum number of audit record entries in the queue used to store
137 the audit records ready for delivery to disk.
138 New records are inserted at the tail of the queue and removed from the head.
139 For new records which would exceed the
140 high water mark, the calling thread is inserted into the wait queue, waiting
141 for the audit queue to have enough space available as defined with the field
145 defines the maximum length of the audit record that can be supplied with
152 specifies the minimum amount of free blocks on the disk device used to store
154 If the value of free blocks falls below the configured
155 minimum amount, the kernel informs the audit daemon about low disk space.
156 The value is to be specified in percent of free file system blocks.
157 A value of 0 results in a disabling of the check.
158 The default and maximum values (default/maximum) for the
159 audit queue control parameters are:
161 .Bl -column aq_hiwater -offset indent -compact
162 .It aq_hiwater Ta 100/10000 (audit records)
163 .It aq_lowater Ta 10/aq_hiwater (audit records)
164 .It aq_bufsz Ta 32767/1048576 (bytes)
165 .It aq_delay Ta (Not currently used.)
180 Set the current auditing condition.
186 value containing the new
187 audit condition, one of
194 is set, then auditing is temporarily suspended. If
196 is set, auditing is resumed. If
198 is set, the auditing system will
199 shutdown, draining all audit records and closing out the audit trail file.
201 Set the event class preselection mask for an audit event.
207 structure containing the audit event and mask.
210 is the audit event and
212 is the audit class mask. See
214 for more information on audit event to class mapping.
216 Set the preselection masks for a process.
222 structure that contains the given process's audit
223 preselection masks for both success and failure.
226 is the process id of the target process.
231 structure which holds the preselection masks as described in the
235 Set the maximum size of the audit log file.
243 field set to the maximum audit log file size.
245 indicates no limit to the size.
247 Set the audit sessions flags for the current session.
250 argument must point to an
252 value containing the new audit session flags.
253 Audit session flags may be updated only according to local
254 access control policy.
256 Return the event to class mapping for the designated audit event.
264 section above for more information.
266 Get the current host information.
274 Return the audit settings for a process.
280 structure which will be set to contain
284 (the preselection mask),
286 (the terminal ID), and
288 (the audit session ID)
289 of the given target process.
290 The process ID of the target process is passed
291 into the kernel using the
298 for more information.
299 .It Dv A_GETPINFO_ADDR
300 Return the extended audit settings for a process.
305 .Vt auditpinfo_addr_t
306 structure which is similar to the
307 .Vt auditpinfo_addr_t
308 structure described above.
311 (the terminal ID) field which points to a
313 structure can hold much a larger terminal address and an address type.
314 The process ID of the target process is passed into the kernel using the
321 for more information.
322 .It Dv A_GETSINFO_ADDR
323 Return the extended audit settings for a session.
330 The audit session ID of the target session is passed
331 into the kernel using the
335 for more information about the
339 Return the current kernel preselection masks.
345 structure which will be set to
346 the current kernel preselection masks for non-attributable events.
348 Return the current audit policy setting.
354 value which will be set to
355 one of the current audit policy flags.
356 The audit policy flags are
361 Return the current kernel audit queue control parameters.
367 structure which will be set to the current
368 kernel audit queue control parameters.
371 section above for more information.
373 Returns the maximum size of the audit log file.
382 field will be set to the maximum audit log file size.
383 A value of 0 indicates no limit to the size.
387 will be set to the current audit log file size.
389 Returns the audit session flags for the current session.
392 argument must point to an
394 value which will be set with the current session flags.
396 .\" [COMMENTED OUT]: Valid description, not yet implemented.
397 .\" Return the current working directory as stored in the audit subsystem.
402 .\" [COMMENTED OUT]: Valid description, not yet implemented.
403 .\"Stores and returns the current active root as stored in the audit
409 .\" [COMMENTED OUT]: Valid description, not yet implemented.
410 .\"Return the statistics stored in the audit system.
415 Return the current auditing condition.
421 value which will be set to
422 the current audit condition, one of
429 section above for more information.
431 Send a trigger to the audit daemon.
437 value set to one of the acceptable
439 .Dv AUDIT_TRIGGER_LOW_SPACE
440 (low disk space where the audit log resides),
441 .Dv AUDIT_TRIGGER_OPEN_NEW
442 (open a new audit log file),
443 .Dv AUDIT_TRIGGER_READ_FILE
447 .Dv AUDIT_TRIGGER_CLOSE_AND_DIE
448 (close the current log file and exit),
449 .Dv AUDIT_TRIGGER_NO_SPACE
450 (no disk space left for audit log file).
451 .Dv AUDIT_TRIGGER_ROTATE_USER
452 (request audit log file rotation).
453 .Dv AUDIT_TRIGGER_INITIALIZE
454 (initialize audit subsystem for Mac OS X only).
456 .Dv AUDIT_TRIGGER_EXPIRE_TRAILS
457 (request audit log file expiration).
464 function will fail if:
467 Returned by options not yet implemented.
469 A failure occurred while data transferred to or from
472 Illegal argument was passed by a system call.
474 The process does not have sufficient permission to complete
480 command is specific to the
482 and Mac OS X implementations, and is not present in Solaris.
487 .Xr getaudit_addr 2 ,
490 .Xr setaudit_addr 2 ,
494 The OpenBSM implementation was created by McAfee Research, the security
495 division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
496 It was subsequently adopted by the TrustedBSD Project as the foundation for
497 the OpenBSM distribution.
500 This software was created by McAfee Research, the security research division
501 of McAfee, Inc., under contract to Apple Computer Inc.
502 Additional authors include
507 The Basic Security Module (BSM) interface to audit records and audit event
508 stream format were defined by Sun Microsystems.
510 This manual page was written by
511 .An Tom Rhodes Aq trhodes@FreeBSD.org ,
512 .An Robert Watson Aq rwatson@FreeBSD.org ,
514 .An Wayne Salamon Aq wsalamon@FreeBSD.org .
projects / apple / xnu.git / blob