|
|
Эта страница руководства является частью версии 5.0 Инструментов XCodeПолучить эти инструменты:
Если Вы выполняете версию Инструментов XCode кроме 5,0, просматриваете документацию локально:
Читать страницы руководстваСтраницы руководства предназначаются как справочник для людей, уже понимающих технологию.
|
AUDITON(2) BSD System Calls Manual AUDITON(2)
NAME
auditon -- configure system audit parameters
SYNOPSIS
#include <bsm/audit.h>
int
auditon(int cmd, void *data, u_int length);
DESCRIPTION
The auditon() system call is used to manipulate various audit control operations. The data argument
should point to a structure whose type depends on the command. The length argument specifies the size
of *data in bytes. The cmd argument may be any of the following:
A_SETPOLICY Set audit policy flags. The data argument must point to a int value set to one or
more the following audit policy control values bitwise OR'ed together: AUDIT_CNT,
AUDIT_AHLT, AUDIT_ARGV, and AUDIT_ARGE. If AUDIT_CNT is set, the system will continue
even if it becomes low on space and discontinue logging events until the low space
condition is remedied. If it is not set, audited events will block until the low
space condition is remedied. Unaudited events, however, are unaffected. If
AUDIT_AHLT is set, a panic(9) if it cannot write an event to the global audit log
file. If AUDIT_ARGV is set, then the argument list passed to the execve(2) system
call will be audited. If AUDIT_ARGE is set, then the environment variables passed to
the execve(2) system call will be audited. The default policy is none of the audit
policy control flags set.
A_SETKAUDIT Set the host information. The data argument must point to a auditinfo_addr_t struc-ture structure
ture containing the host IP address information. After setting, audit records that
are created as a result of kernel events will contain this information.
A_SETKMASK Set the kernel preselection masks (success and failure). The data argument must point
to a au_mask_t structure containing the mask values as defined in <bsm/audit.h>.
These masks are used for non-attributable audit event preselection. The field
am_success specifies which classes of successful audit events are to be logged to the
audit trail. The field am_failure specifies which classes of failed audit events are
to be logged. The value of both fields is the bitwise OR'ing of the audit event
classes specified in bsm/audit.h. The various audit classes are described more fully
in audit_class(5).
A_SETQCTRL Set kernel audit queue parameters. The data argument must point to a au_qctrl_t
structure (defined in <bsm/audit.h>) containing the kernel audit queue control set-tings: settings:
tings: aq_hiwater, aq_lowater, aq_bufsz, aq_delay, and aq_minfree. The field
aq_hiwater defines the maximum number of audit record entries in the queue used to
store the audit records ready for delivery to disk. New records are inserted at the
tail of the queue and removed from the head. For new records which would exceed the
high water mark, the calling thread is inserted into the wait queue, waiting for the
audit queue to have enough space available as defined with the field aq_lowater. The
field aq_bufsz defines the maximum length of the audit record that can be supplied
with audit(2). The field aq_delay is unused. The field aq_minfree specifies the min-imum minimum
imum amount of free blocks on the disk device used to store audit records. If the
value of free blocks falls below the configured minimum amount, the kernel informs the
audit daemon about low disk space. The value is to be specified in percent of free
file system blocks. A value of 0 results in a disabling of the check. The default
and maximum values (default/maximum) for the audit queue control parameters are:
aq_hiwater 100/10000 (audit records)
aq_lowater 10/aq_hiwater (audit records)
aq_bufsz 32767/1048576 (bytes)
aq_delay (Not currently used.)
A_SETSTAT Return ENOSYS. (Not implemented.)
A_SETUMASK Return ENOSYS. (Not implemented.)
A_SETSMASK Return ENOSYS. (Not implemented.)
A_SETCOND Set the current auditing condition. The data argument must point to a int value con-taining containing
taining the new audit condition, one of AUC_AUDITING, AUC_NOAUDIT, or AUC_DISABLED.
If AUC_NOAUDIT is set, then auditing is temporarily suspended. If AUC_AUDITING is set,
auditing is resumed. If AUC_DISABLED is set, the auditing system will shutdown, drain-ing draining
ing all audit records and closing out the audit trail file.
A_SETCLASS Set the event class preselection mask for an audit event. The data argument must
point to a au_evclass_map_t structure containing the audit event and mask. The field
ec_number is the audit event and ec_class is the audit class mask. See audit_event(5)
for more information on audit event to class mapping.
A_SETPMASK Set the preselection masks for a process. The data argument must point to a
auditpinfo_t structure that contains the given process's audit preselection masks for
both success and failure. The field ap_pid is the process id of the target process.
The field ap_mask must point to a au_mask_t structure which holds the preselection
masks as described in the section above.
A_SETFSIZE Set the maximum size of the audit log file. The data argument must point to a
au_fstat_t structure with the af_filesz field set to the maximum audit log file size.
A value of 0 indicates no limit to the size.
A_SETSFLAGS Set the audit sessions flags for the current session. The data argument must point to
an au_asflgs_t value containing the new audit session flags. Audit session flags may
be updated only according to local access control policy.
A_GETCLASS Return the event to class mapping for the designated audit event. The data argument
must point to a au_evclass_map_t structure. See the A_SETCLASS section above for more
information.
A_GETKAUDIT Get the current host information. The data argument must point to a auditinfo_addr_t
structure.
A_GETPINFO Return the audit settings for a process. The data argument must point to a
auditpinfo_t structure which will be set to contain ap_auid (the audit ID), ap_mask
(the preselection mask), ap_termid (the terminal ID), and ap_asid (the audit session
ID) of the given target process. The process ID of the target process is passed into
the kernel using the ap_pid field. See the section A_SETPMASK above and getaudit(2)
for more information.
A_GETPINFO_ADDR Return the extended audit settings for a process. The data argument must point to a
auditpinfo_addr_t structure which is similar to the auditpinfo_addr_t structure
described above. The exception is the ap_termid (the terminal ID) field which points
to a au_tid_addr_t structure can hold much a larger terminal address and an address
type. The process ID of the target process is passed into the kernel using the ap_pid
field. See the section A_SETPMASK above and getaudit(2) for more information.
A_GETSINFO_ADDR Return the extended audit settings for a session. The data argument must point to a
auditinfo_addr_t structure. The audit session ID of the target session is passed into
the kernel using the ai_asid field. See getaudit_addr(2) for more information about
the auditinfo_addr_t structure.
A_GETKMASK Return the current kernel preselection masks. The data argument must point to a
au_mask_t structure which will be set to the current kernel preselection masks for
non-attributable events.
A_GETPOLICY Return the current audit policy setting. The data argument must point to a int value
which will be set to one of the current audit policy flags. The audit policy flags
are described in the A_SETPOLICY section above.
A_GETQCTRL Return the current kernel audit queue control parameters. The data argument must
point to a au_qctrl_t structure which will be set to the current kernel audit queue
control parameters. See the A_SETQCTL section above for more information.
A_GETFSIZE Returns the maximum size of the audit log file. The data argument must point to a
au_fstat_t structure. The af_filesz field will be set to the maximum audit log file
size. A value of 0 indicates no limit to the size. The af_currsz field will be set
to the current audit log file size.
A_GETSFLAGS Returns the audit session flags for the current session. The data argument must point
to an au_asflgs_t value which will be set with the current session flags.
A_GETCWD Return ENOSYS. (Not implemented.)
A_GETCAR Return ENOSYS. (Not implemented.)
A_GETSTAT Return ENOSYS. (Not implemented.)
A_GETCOND Return the current auditing condition. The data argument must point to a int value
which will be set to the current audit condition, one of AUC_AUDITING, AUC_NOAUDIT or
AUC_DISABLED. See the A_SETCOND section above for more information.
A_SENDTRIGGER Send a trigger to the audit daemon. The data argument must point to a int value set
to one of the acceptable trigger values: AUDIT_TRIGGER_LOW_SPACE (low disk space where
the audit log resides), AUDIT_TRIGGER_OPEN_NEW (open a new audit log file),
AUDIT_TRIGGER_READ_FILE (read the audit_control file), AUDIT_TRIGGER_CLOSE_AND_DIE
(close the current log file and exit), AUDIT_TRIGGER_NO_SPACE (no disk space left for
audit log file). AUDIT_TRIGGER_ROTATE_USER (request audit log file rotation).
AUDIT_TRIGGER_INITIALIZE (initialize audit subsystem for Mac OS X only). or
AUDIT_TRIGGER_EXPIRE_TRAILS (request audit log file expiration).
RETURN VALUES
Upon successful completion, the value 0 is returned; otherwise the value -1 is returned and the global
variable errno is set to indicate the error.
ERRORS
The auditon() function will fail if:
[ENOSYS] Returned by options not yet implemented.
[EFAULT] A failure occurred while data transferred to or from the kernel failed.
[EINVAL] Illegal argument was passed by a system call.
[EPERM] The process does not have sufficient permission to complete the operation.
The A_SENDTRIGGER command is specific to the FreeBSD and Mac OS X implementations, and is not present
in Solaris.
SEE ALSO
audit(2), auditctl(2), getaudit(2), getaudit_addr(2), getauid(2), setaudit(2), setaudit_addr(2),
setauid(2), libbsm(3)
HISTORY
The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under
contract to Apple Computer Inc. in 2004. It was subsequently adopted by the TrustedBSD Project as the
foundation for the OpenBSM distribution.
AUTHORS
This software was created by McAfee Research, the security research division of McAfee, Inc., under
contract to Apple Computer Inc. Additional authors include Wayne Salamon, Robert Watson, and SPARTA
Inc.
The Basic Security Module (BSM) interface to audit records and audit event stream format were defined
by Sun Microsystems.
This manual page was written by Tom Rhodes <trhodes@FreeBSD.org>, Robert Watson <rwatson@FreeBSD.org>,
and Wayne Salamon <wsalamon@FreeBSD.org>.
BSD January 29, 2009 BSD
|
Сообщение о проблемах
Способ сообщить о проблеме с этой страницей руководства зависит от типа проблемы:
- Ошибки содержания
- Ошибки отчета в содержании этой документации со ссылками на отзыв ниже.
- Отчеты об ошибках
- Сообщите об ошибках в функциональности описанного инструмента или API через Генератор отчетов Ошибки.
- Форматирование проблем
- Отчет, форматирующий ошибки в интерактивной версии этих страниц со ссылками на отзыв ниже.