Sun Microsystems, Inc.
spacerspacer
spacer   www.sun.com docs.sun.com | | |  
spacer
black dot
   
A   B   C   D   E   F   G   H   I   J   K   L   M   N   O   P   Q   R   S   T   U   V   W   X   Y   Z
    
 
System Administration Commandsauditconfig(1M)


NAME

 auditconfig - configure auditing

SYNOPSIS

 auditconfig option ...

DESCRIPTION

 

auditconfig provides a command line interface to get and set kernel audit parameters.

The functionality described in this man page is available only if the Basic Security Module (BSM) has been enabled. See bsmconv(1M) for more information.

OPTIONS

 
-aconf
Set the non-attributable audit mask from the audit_control(4) file. For example:

 
# auditconfig -aconf
Configured non-attributable events.

-audit event sorf retval string
This command constructs an audit record for audit event event using the process's audit characteristics containing a text token string. The return token is constructed from the sorf (success/failure flag) and the retval (return value). The event is type char*, the sorf is 0/1 for success/failure, retval is an errno value, string is type *char. This command is useful for constructing an audit record with a shell script. An example of this option:

 
# auditconfig -audit AUE_ftpd 0 0 "test string"
#

audit record from audit trail:
    header,76,2,ftp access,,Fri Dec 08 08:44:02 2000, + 669 msec
    subject,abc,root,other,root,other,104449,102336,235 197121 elbow
    text,test string
    return,success,0

-chkaconf
Checks the configuration of the non-attributable events set in the kernel against the entries in audit_control(4). If the runtime class mask of a kernel audit event does not match the configured class mask, a mismatch is reported.
-chkconf
Check the configuration of kernel audit event to class mappings. If the runtime class mask of a kernel audit event does not match the configured class mask, a mismatch is reported.
-conf
Configure kernel audit event to class mappings. Runtime class mappings are changed to match those in the audit event to class database file.
-getasid
Prints the audit session ID of the current process. For example:

 
# auditconfig -getasid
audit session id = 102336

-getaudit
Returns the audit characteristics of the current process.

 
# auditconfig -getaudit
audit id = abc(666)
process preselection mask = lo(0x1000,0x1000)
terminal id (maj,min,host) = 235,197121,elbow(129.146.89.77)
audit session id = 102336

-getauid
Prints the audit ID of the current process. For example:

 
# auditconfig -getauid
audit id = abc(666)

-getcar
Prints current active root location (anchored from root at system boot). For example:

 
# auditconfig -getcar
current active root = /

-getclass event
Display the preselection mask associated with the specified kernel audit event. event is the kernel event number or event name.
-getcond
Display the kernel audit condition. The condition displayed is the literal string auditing meaning auditing is enabled and turned on (the kernel audit module is constructing and queuing audit records); noaudit, meaning auditing is enabled but turned off (the kernel audit module is not constructing and queuing audit records); disabled, meaning that the audit module has not been enabled; or nospace, meaning there is no space for saving audit records. See auditon(2) and auditd(1M) for further information.
-getestate event
For the specified event (string or event number), print out classes event has been assigned. For example:

 
# auditconfig -getestate 20
audit class mask for event AUE_REBOOT(20) = 0x800
# auditconfig -getestate AUE_RENAME
audit class mask for event AUE_RENAME(42) = 0x30

-getfsize
Return the maximum audit file size in bytes and the current size of the audit file in bytes.
-getkaudit
Get audit characteristics of machine. For example:

 
# auditconfig -getkaudit
audit id = unknown(-2)
process preselection mask = lo,na(0x1400,0x1400)
terminal id (maj,min,host) = 0,0,(0.0.0.0)
audit session id = 0

-getkmask
Get non-attributable pre-selection mask for machine. For example:

 
# auditconfig -getkmask
audit flags for non-attributable events = lo,na(0x1400,0x1400)

-getpinfo pid
Display the audit ID, preselection mask, terminal ID, and audit session ID for the specified process.
-getpolicy
Display the kernel audit policy.
-getcwd
Prints current working directory (anchored from root at system boot). For example:

 
# cd /usr/tmp
# auditconfig -getcwd
current working directory = /var/tmp

-getqbufsz
Get audit queue write buffer size. For example:

 
# auditconfig -getqbufsz
        audit queue buffer size (bytes) = 1024

-getqctrl
Get audit queue write buffer size, audit queue hiwater mark, audit queue lowater mark, audit queue prod interval (ticks).

 
# auditconfig -getqctrl
audit queue hiwater mark (records) = 100
audit queue lowater mark (records) = 10
audit queue buffer size (bytes) = 1024
audit queue delay (ticks) = 20

-getqdelay
Get interval at which audit queue is prodded to start output. For example:

 
# auditconfig -getqdelay
audit queue delay (ticks) = 20

-getqhiwater
Get high water point in undelivered audit records when audit generation will block. For example:

 
# ./auditconfig -getqhiwater
audit queue hiwater mark (records) = 100

-getqlowater
Get low water point in undelivered audit records where blocked processes will resume. For example:

 
# auditconfig -getqlowater
audit queue lowater mark (records) = 10

-getstat
Print current audit statistics information. For example:

 
# auditconfig -getstat
gen nona kern  aud  ctl  enq wrtn wblk rblk drop  tot  mem
910    1  725  184    0  910  910    0  231    0   88   48

-gettid
Print audit terminal ID for current process. For example:

 
# auditconfig -gettid
terminal id (maj,min,host) = 235,197121,elbow(129.146.89.77)

-lsevent
Display the currently configured (runtime) kernel and user level audit event information.
-lspolicy
Display the kernel audit policies with a description of each policy.
-setasid session-ID [cmd]
Execute shell or cmd with specified session-ID. For example:

 
# ./auditconfig -setasid 2000 /bin/ksh
#
# ./auditconfig -getpinfo 104485
audit id = abc(666)
process preselection mask = lo(0x1000,0x1000)
terminal id (maj,min,host) = 235,197121,elbow(129.146.89.77)
audit session id = 2000

-setaudit audit-ID preselect_flags term-ID session-ID [cmd]
Execute shell or cmd with the specified audit characteristics.
-setauid audit-ID [cmd]
Execute shell or cmd with the specified audit-ID.
-setclass event audit_flag[,audit_flag ...]
Map the kernel event event to the classes specified by audit_flags. event is an event number or name. An audit_flag is a two character string representing an audit class. See audit_control(4) for further information.
-setcond [auditing|noaudit|nospace]
Set the kernel audit condition to the condition specified where condition is the literal string auditing, indicating auditing should be enabled; noaudit, indicating auditing should be disabled; or nospace, which forces a no-space condition. (See -getcond, above.)
-setfsize size
Set the maximum size of an audit file to size bytes. When the size limit is reached, the audit file is closed and another is started.
-setkaudit IP-address_type IP_address
Set IP address of machine to specified values. IP-address_type is ipv6 or ipv4.
-setkmask audit_flags
Set non-attributes selection flags of machine.
-setpmask pid flags
Set the preselection mask of the specified process. flags is the ASCII representation of the flags similar to that in audit_control(4).
-setpolicy [+|-]policy_flag[,policy_flag ...]
Set the kernel audit policy. A policy policy_flag is literal strings that denotes an audit policy. A prefix of + adds the policies specified to the current audit policies. A prefix of - removes the policies specified from the current audit policies. The following are the valid policy flag strings (auditconfig -lspolicy also lists the current valid audit policy flag strings):
all
Include all policies.
arge
Include the execv(2) system call environment arguments to the audit record. This information is not included by default.
argv
Include the execv(2) system call parameter arguments to the audit record. This information is not included by default.
cnt
Do not suspend processes when audit resources are exhausted. Instead, drop audit records and keep a count of the number of records dropped. By default, process are suspended until audit resources become available.
group
Include the supplementary group token in audit records. By default, the group token is not included.
none
Include no policies.
path
Add secondary path tokens to audit record. These are typically the pathnames of dynamically linked shared libraries or command interpreters for shell scripts. By default, they are not included.
trail
Include the trailer token in every audit record. By default, the trailer token is not included.
seq
Include the sequence token as part of every audit record. By default, the sequence token is not included. The sequence token attaches a sequence number to every audit record.
-setqbufsz buffer_size
Set the audit queue write buffer size (bytes).
-setqctrl hiwater lowater bufsz interval
Set the audit queue write buffer size (bytes), hiwater audit record count, lowater audit record count, and wakeup interval (ticks).
-setqdelay interval
Set the audit queue wakeup interval (ticks). This determines the interval at which the kernel pokes the audit queue, to write audit records to the audit trail.
-setqhiwater hiwater
Set the number of undelivered audit records in the audit queue at which audit record generation blocks.
-setqlowater lowater
Set the number of undelivered audit records in the audit queue at which blocked auditing processes unblock.
-setsmask asid flags
Set the preselection mask of all processes with the specified audit session ID.
-setstat
Reset audit statistics counters.
-setumask auid flags
Set the preselection mask of all processes with the specified audit ID.

EXAMPLES

 Example 1. A sample auditconfig program
 

 
#
# map kernel audit event number 10 to the "fr" audit class
#
% auditconfig -setclass 10 fr

#
# turn on inclusion of exec arguments in exec audit records
#
% auditconfig -setpolicy +argv

EXIT STATUS

 
0
Successful completion.
1
An error occurred.

FILES

 
/etc/security/audit_event
/etc/security/audit_class

ATTRIBUTES

 

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPEATTRIBUTE VALUE
AvailabilitySUNWcsu

SEE ALSO

 

auditd(1M), bsmconv(1M), praudit(1M), auditon(2), execv(2), audit_class(4), audit_control(4), audit_event(4), attributes(5)


SunOS 5.9Go To TopLast Changed 7 May 2001

 
      
      
Copyright 2002 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms.