unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (OSF1-V5.1-alpha)
Page:
Section:
Apropos / Subsearch:
optional field



audcntl(2)							   audcntl(2)



NAME

  audcntl - audit control

SYNOPSIS

  #include <&lt;sys/audit.h>&gt;

  audcntl (
  int request,
  char *argp,
  int len,
  int flag,
  uid_t	audit_id,
  pid_t	pid);

DESCRIPTION

  The audcntl system call provides control over	options	offered	by the audit
  subsystem. All requests, except where	otherwise noted, are privileged.  The
  following list describes the requests:

  GET_SYS_AMASK	and SET_SYS_AMASK
       The system auditmask (along with	the process auditmask) determines
       which system events are logged.	GET_SYS_AMASK copies the system
       auditmask into a	buffer pointed to by argp.  SET_SYS_AMASK copies from
       a buffer	pointed	to by argp into	the system auditmask.  Each of these
       operations returns the number of	bytes transferred between the user's
       buffer and the auditmask.  The len argument is the size of the user's
       buffer. The amount of data moved	between	the auditmask and the user's
       buffer is the smaller of	the auditmask size and the buffer size.

  GET_TRUSTED_AMASK and	SET_TRUSTED_AMASK
       The trusted auditmask (along with the process auditmask)	determines
       which trusted events are	logged.	 GET_TRUSTED_AMASK copies the trusted
       auditmask into a	buffer pointed to by argp. SET_TRUSTED_AMASK copies
       from a buffer pointed to	by argp	into the trusted auditmask. Each of
       these operations	returns	the number of bytes transferred	between	the
       user's buffer and the auditmask.	 The len argument is the size of the
       user's buffer.  The amount of data moved	between	the auditmask and the
       user's buffer is	the smaller of the auditmask size and the buffer
       size.

  GET_PROC_AMASK and SET_PROC_AMASK
       The process auditmask determines	(along with the	system masks) which
       system events and trusted events	are logged for the current process.
       GET_PROC_AMASK copies the process auditmask into	a buffer pointed to
       by argp.	 The size of the process auditmask is AUDIT_MASK_LEN, and
       contains	a syscall mask followed	by a trusted event mask.
       SET_PROC_AMASK copies the values	from a buffer pointed to by argp into
       the process auditmask. Each of these operations returns the number of
       bytes transferred between the user's buffer and the auditmask.  Len is
       the size	of the user's buffer.  The amount of data moved	between	the
       auditmask and the user's	buffer is the smaller of the auditmask size
       and the buffer size.

  GET_PROC_ACNTL and SET_PROC_ACNTL
       GET_PROC_ACNTL returns the audit	control	flags (the audcntl flag) of
       the current process (see	audit.h).  Audit control flags determine
       whether auditing	for the	process	is on or off, and if on, how the sys-
       tem and process auditmask are combined.	A value	of AUDIT_OFF indi-
       cates audit is off for that process.  A value of	AUDIT_AND or AUDIT_OR
       indicates that a	logical	AND or a logical OR of the process and the
       system auditmasks has been performed.  A	value of AUDIT_USR indicates
       the process auditmask is	used for that process; the system auditmask
       is ignored.  SET_PROC_ACNTL assigns the values of the audit control
       flags from flag and returns the previous	values of the audit control
       flags.

  GET_AUDSWITCH	and SET_AUDSWITCH
       GET_AUDSWITCH returns the value of the system audit switch.  A return
       value of	1 indicates auditing is	turned on.  A value of zero indicates
       auditing	is turned off.	SET_AUDSWITCH assigns the value	of flag	to
       the system audit	switch and returns the previous	audit switch value.
       A value of 1 turns auditing on.	A value	of zero	turns auditing off.

  FLUSH_AUD_BUF
       Flushes the kernel audit	buffer to /dev/audit. In a cluster,
       /dev/audit is a CDSL (context dependent symbolic	link).

  GETPAID and SETPAID
       Not supported.

  GET_AUDSTYLE and SET_AUDSTYLE
       The system auditing style supports various options to control how much
       additional information is recorded in some audited operations.
       GET_AUDSTYLE returns the	current	value of the system audstyle flag.
       SET_AUDSTYLE sets the system audstyle flag to the value of flag,	and
       returns the previous value of the audstyle flag.	 A flag	value of
       AUD_EXEC_ARGP enables the auditing of the argument list to the exec
       system calls.  A	flag value of AUD_EXEC_ENVP enables the	auditing of
       the environment strings to the exec system calls.  AUD_LOGIN_UNAME
       enables the auditing of the username in records for failed login
       attempts.  A logical OR can be performed	on flag	values.

  GET_SITEMASK and SET_SITEMASK
       The site	mask determines	which site-defined events are logged.
       GET_SITEMASK copies the site mask into a	buffer pointed at by argp.
       SET_SITEMASK copies from	a buffer pointed at by argp into the site
       mask.  Each of these operations returns the number of bytes
       transferred between the user's buffer and the site mask.	 The len
       argument	is the size of the user's buffer.  The amount of data moved
       between the site	mask and the user's buffer is the smaller of the site
       mask size and the buffer	size.

  UPDEVENTS
       Update the auditmask flag, the audcntl flag, or both for	the specified
       process or set of processes.  The argp parameter	contains the new
       auditmask; len is the size of the user's	buffer.	 A len value of	0
       will not	modify the target process' auditmask.  The flag	parameter, if
       not -1, contains	the new	audcntl	flag.  The process ID (pid), if	not
       0, specifies the	target process.	 The audit_id parameter, if not
       AUID_INVAL, specifies the set of	all processes with that	audit_id.

  GET_HABITAT_EVENT and	SET_HABITAT_EVENT
       GET_HABITAT_EVENT gets the "habitat/system call"	name and auditmask
       bits for	a specified system call	number.	 The flag parameter is the
       system call number.  The	argp parameter points to a user	buffer of
       size len	into which the "habitat/system call" name is placed.  The
       return value is the auditmask bits, which indicate whether successful
       occurrences, failed occurrences,	or both	of this	system call are
       logged.	SET_HABITAT_EVENT sets the auditmask bits for the specified
       "habitat/system call" name.  The	argp parameter points to a user
       buffer of size len which	specifies the habitat name and system call
       name (for example, SystemV/unlink).  The	flag parameter is the new
       setting for the auditmask bits for this system call.  Note that these
       options apply only to system calls in the alternate habitats.

  GET_NSITEVENTS
       Returns the number of site events currently allowed on the system.
       This number is determined by the	sysconfig sec parameter
       audit_site_events.

  GET_AUDSIZE
       Returns the base	size of	an audit data buffer.  This number is deter-
       mined by	the sysconfig sec parameter audit_buffer_size.

  GET_OBJAUDBIT	and SET_OBJAUDBIT
       Gets or sets an object's	selection and deselection flags.  The object
       is named	by argp.  For SET_OBJAUDBIT, the flag argument specifies
       AUD_SELECT and/or AUD_DESELECT (see the <sys/audit.h> file).

  GET_SUBJ_AMASK
       Copies the process auditmask for	the process specified by the pid
       argument	into a buffer pointed to by argp.  The len argument is the
       size of the user's buffer.  The amount of data moved between the
       auditmask and the user's	buffer is the smaller of the auditmask size
       and the buffer size.  This operation returns the	number of bytes
       copied out to the user buffer.

  GET_SUBJ_ACNTL
       Returns the audit control flags (the audcntl flag) of the process
       specified by the	pid parameter.

RETURN VALUES

  The values returned for successful calls can be found	under the description
  of the specific call request.

  If a call fails, a -1	is returned.

ERRORS

  The audcntl call fails under the following conditions:

  [EFAULT]	 The argp argument contains an invalid address.

  [EACCES]	 The user does not have	the privileges needed to perform this
		 operation.

  [EINVAL]	 The value of the len, request,	or audit_id argument is
		 invalid.

  [ENOMEM]	 Insufficient memory to	accommodate site mask or property
		 list operation.

  [ENOSYS]	 Indicates an attempt to use a system call that	is not con-
		 figured.

  [EROFS]	 The filesystem	is read-only; property lists cannot be set.

  [EIO]		 The argp argument contains an invalid address.

  [ESRCH]	 The specified pid does	not exist.

  [E2BIG]	 With GET_OBJAUDBIT specified, indicates an invalid property
		 list entry.




RELATED	INFORMATION

  Commands: auditconfig(8), dxaudit(8X)

  Security