audcntl - audit control
#include <sys/audit.h>
audcntl(
int request,
char *argp,
int len,
int flag,
uid_t audit_id,
pid_t pid );
The audcntl system call provides control over flags
offered by the audit subsystem. All requests, except where
otherwise noted, are privileged. The following list
describes the requests: The system auditmask (along with
the process auditmask) determines which system events are
logged. GET_SYS_AMASK copies the system auditmask into a
buffer pointed to by argp. SET_SYS_AMASK copies from a
buffer pointed to by argp into the system auditmask. Each
of these operations returns the number of bytes transferred
between the user's buffer and the auditmask. The
len argument is the size of the user's buffer. The amount
of data moved between the auditmask and the user's buffer
is the smaller of the auditmask size and the buffer size.
The trusted auditmask (along with the process auditmask)
determines which trusted events are logged.
GET_TRUSTED_AMASK copies the trusted auditmask into a
buffer pointed to by argp. SET_TRUSTED_AMASK copies from
a buffer pointed to by argp into the trusted auditmask.
Each of these operations returns the number of bytes
transferred between the user's buffer and the auditmask.
The len argument is the size of the user's buffer. The
amount of data moved between the auditmask and the user's
buffer is the smaller of the auditmask size and the buffer
size. The process auditmask determines (along with the
system masks) which system events and trusted events are
logged for the current process. GET_PROC_AMASK copies the
process auditmask into a buffer pointed to by argp. The
size of the process auditmask is AUDIT_MASK_LEN, and contains
a syscall mask followed by a trusted event mask.
SET_PROC_AMASK copies the values from a buffer pointed to
by argp into the process auditmask. Each of these operations
returns the number of bytes transferred between the
user's buffer and the auditmask. Len is the size of the
user's buffer. The amount of data moved between the auditmask
and the user's buffer is the smaller of the auditmask
size and the buffer size. GET_PROC_ACNTL returns the
audit control flags (the audcntl flag) of the current process
(see audit.h). Audit control flags determine whether
auditing for the process is on or off, and if on, how the
system and process auditmask are combined. A value of
AUDIT_OFF indicates audit is off for that process. A value
of AUDIT_AND or AUDIT_OR indicates that a logical AND or a
logical OR of the process and the system auditmasks has
been performed. A value of AUDIT_USR indicates the process
auditmask is used for that process; the system auditmask
is ignored. SET_PROC_ACNTL assigns the values of the
audit control flags from flag and returns the previous
values of the audit control flags. GET_AUDSWITCH returns
the value of the system audit switch. A return value of 1
indicates auditing is turned on. A value of zero indicates
auditing is turned off. SET_AUDSWITCH assigns the
value of flag to the system audit switch and returns the
previous audit switch value. A value of 1 turns auditing
on. A value of zero turns auditing off. Flushes the kernel
audit buffer to /dev/audit. In a cluster, /dev/audit
is a CDSL (context dependent symbolic link). Not supported.
The system auditing style supports various flags
to control how much additional information is recorded in
some audited operations. GET_AUDSTYLE returns the current
value of the system audstyle flag. SET_AUDSTYLE sets the
system audstyle flag to the value of flag, and returns the
previous value of the audstyle flag. A flag value of
AUD_EXEC_ARGP enables the auditing of the argument list to
the exec system calls. A flag value of AUD_EXEC_ENVP
enables the auditing of the environment strings to the
exec system calls. AUD_LOGIN_UNAME enables the auditing
of the username in records for failed login attempts. A
logical OR can be performed on flag values. The site mask
determines which site-defined events are logged.
GET_SITEMASK copies the site mask into a buffer pointed at
by argp. SET_SITEMASK copies from a buffer pointed at by
argp into the site mask. Each of these operations returns
the number of bytes transferred between the user's buffer
and the site mask. The len argument is the size of the
user's buffer. The amount of data moved between the site
mask and the user's buffer is the smaller of the site mask
size and the buffer size. Update the auditmask flag, the
audcntl flag, or both for the specified process or set of
processes. The argp parameter contains the new auditmask;
len is the size of the user's buffer. A len value of 0
will not modify the target process' auditmask. The flag
parameter, if not -1, contains the new audcntl flag. The
process ID (pid), if not 0, specifies the target process.
The audit_id parameter, if not AUID_INVAL, specifies the
set of all processes with that audit_id. GET_HABITAT_EVENT
gets the "habitat/system call" name and auditmask
bits for a specified system call number. The flag
parameter is the system call number. The argp parameter
points to a user buffer of size len into which the "habitat/system
call" name is placed. The return value is the
auditmask bits, which indicate whether successful occurrences,
failed occurrences, or both of this system call
are logged. SET_HABITAT_EVENT sets the auditmask bits for
the specified "habitat/system call" name. The argp parameter
points to a user buffer of size len which specifies
the habitat name and system call name (for example, SystemV/unlink).
The flag parameter is the new setting for
the auditmask bits for this system call. Note that these
flags apply only to system calls in the alternate habitats.
Returns the number of site events currently allowed
on the system. This number is determined by the sysconfig
sec parameter audit_site_events. Returns the base size of
an audit data buffer. This number is determined by the
sysconfig sec parameter audit_buffer_size. Gets or sets
an object's selection and deselection flags. The object
is named by argp. For SET_OBJAUDBIT, the flag argument
specifies AUD_SELECT and/or AUD_DESELECT (see the
"<sys/audit.h>" file). Copies the process auditmask for
the process specified by the pid argument into a buffer
pointed to by argp. The len argument is the size of the
user's buffer. The amount of data moved between the auditmask
and the user's buffer is the smaller of the auditmask
size and the buffer size. This operation returns the
number of bytes copied out to the user buffer. Returns
the audit control flags (the audcntl flag) of the process
specified by the pid parameter.
The values returned for successful calls can be found
under the description of the specific call request.
If a call fails, a -1 is returned.
The audcntl call fails under the following conditions: The
argp argument contains an invalid address. The user does
not have the privileges needed to perform this operation.
The value of the len, request, or audit_id argument is
invalid. Insufficient memory to accommodate site mask or
property list operation. Indicates an attempt to use a
system call that is not configured. The filesystem is
read-only; property lists cannot be set. The argp argument
contains an invalid address. The specified pid does
not exist. With GET_OBJAUDBIT specified, indicates an
invalid property list entry.
Commands: auditconfig(8), dxaudit(8X)
Security
audcntl(2)
[ Back ] |
