unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (OSF1-V5.1-alpha)
Page:
Section:
Apropos / Subsearch:
optional field



auditmask(8)							 auditmask(8)



NAME

  auditmask - Gets or sets audit masks

SYNOPSIS

  /usr/sbin/auditmask [	flags ]	[ event[:succeed:fail]]	\
  [-e,E	file [args... ]] [< event_list]

FLAGS

  -a audit_id
      Sets the audit mask for all processes that have the specified audit ID
      (audit_id).  By specifying the audit ID of a user, all processes with
      the specified audit ID are audited. The event list specified on the
      command line becomes the audit mask for the target processes.  Note
      that the new events are combined with the	current	events for the target
      process.

  -cluster
      Executes auditmask on each active	member of the cluster.	Any files
      specified	must be	visable	to all members in the cluster.	Process-
      specific commands	are not	supported across the cluster.  Entering
      auditmask	-cluster prints	out each cluster member's audit	mask.

      The following auditmask options are supported with the -cluster option
      and work as follows:

      -a  Has valid meaning only for a cluster member that the user is
	  currently logged into.

      -c  Not valid if -p is used.

      -f  With a specified process -f is not supported with -cluster.
	  Without a specified process, -f is supported.

      -h  Supported.

      -n  With a specified procces -n is not supported with -cluster.
	  Without a specified procces -n works as usual	across each cluster
	  member.

      -s  Works	as usual across	each cluster member.

  The following	auditmask options are not supported with the -cluster option:

      -e, -E, -p, -q, -Q, -x, -X, -y, -Y

  -c control_flag
      Sets the value of	the audit control flags	for the	target audit
      processes. The -c	flag can be used only in conjunction with the -a, -e,
      -E, or -p	flags.	The audit control flag strings are as follows:

      or  An audit record is generated if either the system audit mask or the
	  process audit	mask indicates such an event should be audited.

      and An audit record is generated if both the system audit	mask and the
	  process audit	mask indicate such an event should be audited.

      off No audit records are generated for the current process.

      usr An audit record gets generated if the	process	audit mask indicates
	  such an event	should be audited.

      syscall_off
	  Turns	off or on all system call auditing for the selected process
	  (or group of processes if based on login user).

      habitat_usr
	  Include the habitat audit events as described	in the
	  /etc/sec/audit_events	file.

  -E file [args...]
      Executes the file	and audits all system calls and	trusted	events.	 The
      args parameters are the arguments	associated with	the program file.
      This option is useful for	debugging.

  -e file [args...]
      Executes the file	and audits under a specified audit mask. The args
      parameters are the arguments associated with the program file. For
      example, auditmask open -e test_prog foo

  -f  If a process is specified, sets that process' audit mask to all events;
      otherwise, sets the system audit mask to all events.

  -h  Displays a brief help message.

  -n  If a process is specified, clears	that process' audit mask; otherwise,
      clears the system	audit mask.

  -p pid [event[:succeed:fail]]
      When one or more events are provided, sets the audit mask	for a single
      process specified	by pid and events.  The	event list specified on	the
      command line modifies the	settings for those events in the current
      audit mask of the	specified process.  If only -p pid is specified, the
      events being audited for the specified pid and the audcntl flag are
      returned.	 The -p	option is used to check	a suspicious process in	real
      time.

  -q filename
      Query status of file filename for	object selection/deselection.

  -Q filelist
      Query status of files in filelist	relevant to object
      selection/deselection.

  -s audstyle
      Sets the audit style characteristics of the audit	subsystem as follows:

      exec_argp
	  Enables the auditing of the argument list to an execv	or execve
	  system call.

      exec_envp
	  Enables the auditing of the environment strings to an	execv or
	  execve system	call.

      cmd_name
	  Enables recording the	command	name in	each audit record.  The
	  command name is the same name	as that	used in	the accounting
	  records.  This is the	last component of the invoked pathname,	and
	  is restricted	to a maximum of	16 characters.

      login_uname
	  Enables the auditing of the user name	in failed login	attempts when
	  the user name	is not recognized. (If the account name	for a failed
	  access attempt is recognized,	an entry is always generated in	the
	  audit	log.)

      obj_sel
	  Enable object	selection mode.

	  Specifying -c	obj_sel	or -c obj_sel:1	enables	the object selection
	  mode.	 Specifying -c obj_sel:0 disables the object selection mode.

	  The object selection mode provides the ability to specify a set of
	  files	for which selected events get audited, while those same
	  events on other files	do not get audited.  In	this mode, audit
	  records get generated	only when an event is selected and either
	  that event is	acting on a selected file or not acting	on any file.
	  The result is	that it	is now possible, for example, to audit open's
	  of /etc/passwd and /.rhosts while not	auditing open's	of /tmp/xxxx.

	  See the -x and -X options, and the Security manual.

      obj_desel
	  Enable object	deselection mode.

	  Specifying -c	obj_desel or -c	obj_desel:1 enables the	deselection
	  mode.	 Specifying -c obj_desel:0 disables the	deselection mode.

	  The file deselection mode provides the ability to specify a set of
	  files	for which specific selected events do not get audited, while
	  those	same events on other files do get audited.

	  The events which may be deselected are data access operations	(no
	  data modifications).	The set	of events which	get deselected is:

	       open	close	  link
	       access	stat	  lstat
	       dup	revoke	  readlink
	       fstat	dup2	  getdirentries
	       read	lseek

	  File open's for write	or truncate access, however, do	not get
	  deselected.

	  In this mode,	audit records get generated for	selected events,
	  unless all files operated on by that system call are deselected and
	  the operation	is a data access.  So, if you are auditing stat	and
	  unlink, and the file foo is deselected, then a stat of foo would
	  not be audited, but an unlink	of foo would be	audited	(the unlink
	  is not a "data access" operation).

	  The result is	that it	is now possible, for example, to not audit
	  accesses to /usr/shlib/libc.so, but still audit open's of
	  /etc/passwd.

	  See the -y and -Y options, and the Security manual.

  -x filename[:1|:0]
      Enable or	disable	selection on filename.	No : or	the presence of	a :1
      on the end of the	argument enables the action; a :0 disables the
      action.

  -X filelist[:1|:0]
      Enable or	disable	selection on the files in the filelist.	 No : or the
      presence of a :1 on the end of the argument enables the action; a	:0
      disables the action.

  -y filename[:1|:0]
      Enable or	disable	deselection on filename.  No : or the presence of a
      :1 on the	end of the argument enables the	action;	a :0 disables the
      action.

  -Y filelist[:1|:0]
      Enable or	disable	deselection on the files in the	filelist.  No :	or
      the presence of a	:1 on the end of the argument enables the action; a
      :0 disables the action.

DESCRIPTION

  The auditmask	command	is used	to:

    +  Get or set the system audit mask	and the	audit style flag

    +  Get or set a process' audit mask	and its	audit control flag

    +  Execute a process under a specified audit mask

    +  Select or deselect filesystem objects

  The system audit mask	contains system	calls (default list is in
  /etc/sec/audit_events), trusted events (defined in audit.h), and site-
  defined events (/etc/sec/site_events).  The system audit mask	is set during
  the setup of the audit subsystem using the auditconfig script.  The system
  audit	mask can be changed at any time	using the auditmask command.

  Under	enhanced security, when	a user logs in to the system, the authentica-
  tion databases (/var/tcb/files/auth.db and /var/tcb/files/auth.db) are read
  and the login	process' audit characteristics are set according to the
  u_auditmask and u_auditcntl entries.	This audit mask	and audit control
  flag are inherited by	all spawned processes.

  Setting the audit control flag of a process automatically resets a previous
  setting of AUDIT_SYSCALL_OFF for that	process.

  Getting the System Audit Mask


  The auditmask	command	with no	arguments displays the system calls, trusted
  events, and site events currently being audited for the system, and indi-
  cates	whether	they are being audited under successful	or failed occurrences
  or both.  The	format used for	the display is acceptable as input to subse-
  quent	auditmask commands.

  Setting the System Audit Mask


  The auditmask	command	with event arguments sets the system call, trusted
  event, or site event audit masks for the system audit	mask.  This is a
  cumulative operation,	so it is possible to turn on or	off audit for one set
  of events, then turn on or off audit for a second set	of events without
  changing the first set of events (except for the intersection	between	the
  two sets).  Command line arguments to	auditmask can include one or more
  events, each with an optional	field :succeed:fail, where succeed is either
  0 to specify no auditing of successful occurrences of	event or 1 to specify
  auditing of successful occurrences of	event; and fail	is either 0 to
  specify no auditing of failed	occurrences of event or	1 to specify auditing
  of failed occurrences	of event.  The event is	one of the following:

    +  A system	call name

    +  A trusted event name (see audit.h)

    +  A site-defined name in /etc/sec/site_events

    +  An alias	defined	in /etc/sec/event_aliases

  The auditmask	command	will also accept redirected input, which can be	the
  output of a previously issued	auditmask command.  This is a file containing
  lines	in the following format:

       event [succeed] [fail]

  If the keyword succeed is present, successful	occurrences of that event
  will be audited; if the keyword fail is present, failed occurrences of that
  event	will be	audited; if both are present, successful and failed
  occurrences will be audited; if neither keyword is present, that event will
  not be audited.

  The auditmask	command	with the -s option is used to set the audit style
  characteristics of the audit subsystem. See the description of the -s
  option.

  Getting and Setting Process' Auditmask


  The audit characteristics for	a process are made up of the process audit-
  mask and the audit control flag.  The	auditmask command can be used to set
  or get the audit characteristics for a specified process.  If	no audit
  characteristics are specified, auditmask gets	the process' auditmask and
  control flag;	if any audit characteristics are specified, auditmask sets
  the process' auditmask and/or	the audit control flag.

  Processes are	specified as follows:

    +  A single	process	using the -p option

    +  A family	of processes using the -a option

    +  A new process using the -e or -E	option

  Site-defined events and habitat system calls can be set only for the sys-
  tem, as opposed to the processes.  See the habitat_usr selection under the
  -c control_flag flag.

  A program can	be executed with a specified auditmask using the -e or -E
  options. This	can be used to learn more about	the program's behavior.	 The
  -e and -E options set	the process audit control flag to AUDIT_USR (unless
  explicitly set otherwise).

  Using	Object Selection and Deselection

  Object selection and deselection modes provide another preselection mechan-
  ism designed to help administrators audit specifically those operations of
  interest to them.

  Some events, such as mount and reboot, are operations	affecting system
  state; other events, such as open and	unlink,	are operations which affect
  specific files.  While all reboot attempts might be security relevant, all
  file open's might not	be (based on the site security model).	The file
  object selection/deselection mechanism provides a further level of granu-
  larity for events which operate on files.

  This mechanism can be	run in either file selection (audstyle obj_sel)	or
  file deselection (audstyle obj_desel)	mode.

  Note that processes with a flag of AUDIT_USR do not have their auditing
  reduced through the selection/deselection mechanism.



  Cluster Audit	Masks


  Each member of a cluster runs	with its own auditmask.	To simplify keeping
  the masks identical, use the -cluster	option.

EXAMPLES

  The command line in the following example returns the	auditmask and audit
  control flag for process 999:

       # auditmask -p 999

  The command line in the following example executes the my_prog program with
  the open system call added to	its auditmask and no change to its audit con-
  trol flag:

       # auditmask open	-e my_prog

  The command line in the following example executes the vi command on the
  /etc/motd file with its auditmask set	to audit all system calls and all
  trusted events, and its audit	control	flag set to OR:

       # auditmask -c or -E vi /etc/motd

RELATED	INFORMATION

  Commands: auditconfig(8)

  Functions: audcntl(2)

  Security