diff options
Diffstat (limited to 'contrib/openbsm/man/auditon.2')
-rw-r--r-- | contrib/openbsm/man/auditon.2 | 288 |
1 files changed, 288 insertions, 0 deletions
diff --git a/contrib/openbsm/man/auditon.2 b/contrib/openbsm/man/auditon.2 new file mode 100644 index 000000000000..4e38dc4f68fc --- /dev/null +++ b/contrib/openbsm/man/auditon.2 @@ -0,0 +1,288 @@ +.\"- +.\" Copyright (c) 2005 Robert N. M. Watson +.\" Copyright (c) 2005 Tom Rhodes +.\" Copyright (c) 2005 Wayne J. Salamon +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#6 $ +.\" +.Dd April 19, 2005 +.Dt AUDITON 2 +.Os +.Sh NAME +.Nm auditon +.Nd "Configure system audit parameters" +.Sh SYNOPSIS +.In bsm/audit.h +.Ft int +.Fn auditon "int cmd" "void *data" "u_int length" +.Sh DESCRIPTION +The +.Nm +system call is used to manipulate various audit control operations. +.Ft *data +should point to a structure whose type depends on the command. +.Ft length +specifies the size of the +.Em data +in bytes. +.Ft cmd +may be any of the following: +.Bl -tag -width ".It Dv A_GETPINFO_ADDR" +.It Dv A_SETPOLICY +Set audit policy flags. +.Ft *data +must point to an long value set to one of the audit +policy control values defined in audit.h. +Currently, only +.Dv AUDIT_CNT +and +.Dv AUDIT_AHLT +are implemented. +In the +.Dv AUDIT_CNT +case, the action will continue regardless if +an event will not be audited. +In the +.Dv AUDIT_AHLT +case, a +.Xr panic 9 +will result if an event will not be written to the +audit log file. +.It Dv A_SETKAUDIT +Return +.Er ENOSYS . +.It Dv A_SETKMASK +Set the kernel preselection masks (success and failure). +.Ft *data +must point to a +.Ft au_mask_t +structure containing the mask values. +These masks are used for non-attributable audit event preselection. +.It Dv A_SETQCTRL +Set kernel audit queue parameters. +.Ft *data +must point to a +.Ft au_qctrl_t +structure containing the +kernel audit queue control settings: +.Va high water , +.Va low water , +.Va output buffer size , +.Va percent min free disk space , +and +.Em delay +(not currently used). +.It Dv A_SETSTAT +Return +.Er ENOSYS . +.It Dv A_SETUMASK +Return +.Er ENOSYS . +.It Dv A_SETSMASK +Return +.Er ENOSYS . +.It Dv A_SETCOND +Set the current auditing condition. +.Ft *data +must point to an long value containing the new +audit condition, one of +.Dv AUC_AUDITING , +.Dv AUC_NOAUDIT , +or +.Dv AUC_DISABLED . +.It Dv A_SETCLASS +Set the event class preselection mask for an audit event. +.Ft *data +must point to a +.Ft au_evclass_map_t +structure containing the audit event and mask. +.It Dv A_SETPMASK +Set the preselection masks for a process. +.Ft *data +must point to a +.Ft auditpinfo_t +structure that contains the given process's audit +preselection masks for both success and failure. +.It Dv A_SETFSIZE +Set the maximum size of the audit log file. +.Ft *data +must point to a +.Ft au_fstat_t +structure with the +.Ft af_filesz +field set to the maximum audit log file size. A value of 0 +indicates no limit to the size. +.It Dv A_SETKAUDIT +Return +.Er ENOSYS . +.It Dv A_GETCLASS +Return the event to class mapping for the designated audit event. +.Ft *data +must point to a +.Ft au_evclass_map_t +structure. +.It Dv A_GETKAUDIT +Return +.Er ENOSYS . +.It Dv A_GETPINFO +Return the audit settings for a process. +.Ft *data +must point to a +.Ft auditpinfo_t +structure which will be set to contain +the audit ID, preselection mask, terminal ID, and audit session +ID of the given process. +.It Dv A_GETPINFO_ADDR +Return +.Er ENOSYS . +.It Dv A_GETKMASK +Return the current kernel preselection masks. +.Ft *data +must point to a +.Ft au_mask_t +structure which will be set to +the current kernel preselection masks for non-attributable events. +.It Dv A_GETPOLICY +Return the current audit policy setting. +.Ft *data +must point to an long value which will be set to +one of the current audit policy flags. +Currently, only +.Dv AUDIT_CNT +and +.Dv AUDIT_AHLT +are implemented. +.It Dv A_GETQCTRL +Return the current kernel audit queue control parameters. +.Ft *data +must point to a +.Ft au_qctrl_t +structure which will be set to the current +kernel audit queue control parameters. +.It Dv A_GETFSIZE +Returns the maximum size of the audit log file. +.Ft *data +must point to a +.Ft au_fstat_t +structure. The +.Ft af_filesz +field will set to the maximum audit log file size. A value of 0 +indicates no limit to the size. +The +.Ft af_filesz +will be set to the current audit log file size. +.It Dv A_GETCWD +.\" [COMMENTED OUT]: Valid description, not yet implemented. +.\" Return the current working directory as stored in the audit subsystem. +Return +.Er ENOSYS . +.It Dv A_GETCAR +.\" [COMMENTED OUT]: Valid description, not yet implemented. +.\"Stores and returns the current active root as stored in the audit +.\"subsystem. +Return +.Er ENOSYS . +.It Dv A_GETSTAT +.\" [COMMENTED OUT]: Valid description, not yet implemented. +.\"Return the statistics stored in the audit system. +Return +.Er ENOSYS . +.It Dv A_GETCOND +Return the current auditing condition. +.Ft *data +must point to a long value which will be set to +the current audit condition, either +.Dv AUC_AUDITING +or +.Dv AUC_NOAUDIT . +.It Dv A_SENDTRIGGER +Send a trigger to the audit daemon. +.Fr *data +must point to a long value set to one of the acceptable +trigger values: +.Dv AUDIT_TRIGGER_LOW_SPACE +(low disk space where the audit log resides), +.Dv AUDIT_TRIGGER_OPEN_NEW +(open a new audit log file), +.Dv AUDIT_TRIGGER_READ_FILE +(read the audit_control file), +.Dv AUDIT_TRIGGER_CLOSE_AND_DIE +(close the current log file and exit), +or +.Dv AUDIT_TRIGGER_NO_SPACE +(no disk space left for audit log file). +.El +.Sh RETURN VALUES +.Rv -std +.Sh ERRORS +The +.Fn auditon +function will fail if: +.Bl -tag -width Er +.It Bq Er ENOSYS +Returned by options not yet implemented. +.It Bq Er EFAULT +A failure occurred while data transferred to or from +the kernel failed. +.It Bq Er EINVAL +Illegal argument was passed by a system call. +.It Bq Er EPERM +The process does not have sufficient permission to complete +the operation. +.El +.Pp +The +.Dv A_SENDTRIGGER +command is specific to the +.Fx +and Mac OS X implementations, and is not present in Solaris. +.Sh SEE ALSO +.Xr audit 2 , +.Xr auditctl 2 , +.Xr getauid 2 , +.Xr setauid 2 , +.Xr getaudit 2 , +.Xr setaudit 2 , +.Xr getaudit_addr 2 , +.Xr setaudit_addr 2 , +.Xr libbsm 3 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Pp +This manual page was written by +.An Tom Rhodes Aq trhodes@FreeBSD.org , +.An Robert Watson Aq rwatson@FreeBSD.org , +and +.An Wayne Salamon Aq wsalamon@FreeBSD.org . +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2003. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. |