Provided by: freebsd-manpages_7.1~beta1-1_all bug

NAME

     auditon - configure system audit parameters

SYNOPSIS

     #include <bsm/audit.h>

     int
     auditon(int cmd, void *data, u_int length);

DESCRIPTION

     The auditon() system call is used to manipulate various audit control
     operations.  The data argument should point to a structure whose type
     depends on the command.  The length argument specifies the size of *data
     in bytes.  The cmd argument may be any of the following:

     A_SETPOLICY      Set audit policy flags.  The data argument must point to
                      a long value set to one of the audit policy control
                      values defined in Currently, only AUDIT_CNT and
                      AUDIT_AHLT are implemented.  In the AUDIT_CNT case, the
                      action will continue regardless if an event will not be
                      audited.  In the AUDIT_AHLT case, a panic(9) will result
                      if an event will not be written to the audit log file.

     A_SETKAUDIT      Return ENOSYS.

     A_SETKMASK       Set the kernel preselection masks (success and failure).
                      The data argument must point to a au_mask_t structure
                      containing the mask values.  These masks are used for
                      non-attributable audit event preselection.

     A_SETQCTRL       Set kernel audit queue parameters.  The data argument
                      must point to a au_qctrl_t structure containing the
                      kernel audit queue control settings: “high water”, “low
                      water”, “output buffer size”, “percent min free disk
                      space”, and “delay” (not currently used).

     A_SETSTAT        Return ENOSYS.

     A_SETUMASK       Return ENOSYS.

     A_SETSMASK       Return ENOSYS.

     A_SETCOND        Set the current auditing condition.  The data argument
                      must point to a long value containing the new audit
                      condition, one of AUC_AUDITING, AUC_NOAUDIT, or
                      AUC_DISABLED.

     A_SETCLASS       Set the event class preselection mask for an audit
                      event.  The data argument must point to a
                      au_evclass_map_t structure containing the audit event
                      and mask.

     A_SETPMASK       Set the preselection masks for a process.  The data
                      argument must point to a auditpinfo_t structure that
                      contains the given process’s audit preselection masks
                      for both success and failure.

     A_SETFSIZE       Set the maximum size of the audit log file.  The data
                      argument must point to a au_fstat_t structure with the
                      af_filesz field set to the maximum audit log file size.
                      A value of 0 indicates no limit to the size.

     A_SETKAUDIT      Return ENOSYS.

     A_GETCLASS       Return the event to class mapping for the designated
                      audit event.  The data argument must point to a
                      au_evclass_map_t structure.

     A_GETKAUDIT      Return ENOSYS.

     A_GETPINFO       Return the audit settings for a process.  The data
                      argument must point to a auditpinfo_t structure which
                      will be set to contain the audit ID, preselection mask,
                      terminal ID, and audit session ID of the given process.

     A_GETPINFO_ADDR  Return ENOSYS.

     A_GETKMASK       Return the current kernel preselection masks.  The data
                      argument must point to a au_mask_t structure which will
                      be set to the current kernel preselection masks for non-
                      attributable events.

     A_GETPOLICY      Return the current audit policy setting.  The data
                      argument must point to a long value which will be set to
                      one of the current audit policy flags.  Currently, only
                      AUDIT_CNT and AUDIT_AHLT are implemented.

     A_GETQCTRL       Return the current kernel audit queue control
                      parameters.  The data argument must point to a
                      au_qctrl_t structure which will be set to the current
                      kernel audit queue control parameters.

     A_GETFSIZE       Returns the maximum size of the audit log file.  The
                      data argument must point to a au_fstat_t structure.  The
                      af_filesz field will be set to the maximum audit log
                      file size.  A value of 0 indicates no limit to the size.
                      The af_currsz field will be set to the current audit log
                      file size.

     A_GETCWD         Return ENOSYS.

     A_GETCAR         Return ENOSYS.

     A_GETSTAT        Return ENOSYS.

     A_GETCOND        Return the current auditing condition.  The data
                      argument must point to a long value which will be set to
                      the current audit condition, either AUC_AUDITING or
                      AUC_NOAUDIT.

     A_SENDTRIGGER    Send a trigger to the audit daemon.  The data argument
                      must point to a long value set to one of the acceptable
                      trigger values: AUDIT_TRIGGER_LOW_SPACE (low disk space
                      where the audit log resides), AUDIT_TRIGGER_OPEN_NEW
                      (open a new audit log file), AUDIT_TRIGGER_READ_FILE
                      (read the audit_control file),
                      AUDIT_TRIGGER_CLOSE_AND_DIE (close the current log file
                      and exit), or AUDIT_TRIGGER_NO_SPACE (no disk space left
                      for audit log file).

RETURN VALUES

     Upon successful completion, the value 0 is returned; otherwise the
     value -1 is returned and the global variable errno is set to indicate the
     error.

ERRORS

     The auditon() function will fail if:

     [ENOSYS]           Returned by options not yet implemented.

     [EFAULT]           A failure occurred while data transferred to or from
                        the kernel failed.

     [EINVAL]           Illegal argument was passed by a system call.

     [EPERM]            The process does not have sufficient permission to
                        complete the operation.

     The A_SENDTRIGGER command is specific to the FreeBSD and Mac OS X
     implementations, and is not present in Solaris.

SEE ALSO

     audit(2), auditctl(2), getaudit(2), getaudit_addr(2), getauid(2),
     setaudit(2), setaudit_addr(2), setauid(2), libbsm(3)

HISTORY

     The OpenBSM implementation was created by McAfee Research, the security
     division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
     It was subsequently adopted by the TrustedBSD Project as the foundation
     for the OpenBSM distribution.

AUTHORS

     This software was created by McAfee Research, the security research
     division of McAfee, Inc., under contract to Apple Computer Inc.
     Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.

     The Basic Security Module (BSM) interface to audit records and audit
     event stream format were defined by Sun Microsystems.

     This manual page was written by Tom Rhodes 〈trhodes@FreeBSD.org〉, Robert
     Watson 〈rwatson@FreeBSD.org〉, and Wayne Salamon 〈wsalamon@FreeBSD.org〉.