Unix‎ > ‎Solaris‎ > ‎Solaris man pages‎ > ‎1m‎ > ‎

auditconfig


NAME
     auditconfig - configure auditing

SYNOPSIS
     auditconfig option...


DESCRIPTION
     auditconfig provides a command line interface to get and set
     kernel audit parameters.


     This functionality is available only if the  Basic  Security
     Module  (BSM)  has  been  enabled.  See bsmconv(1M) for more
     information.


     The setting of the perzone policy determines  the  scope  of
     the  audit  setting controlled by auditconfig. If perzone is
     set, then the values reflect the local zone except as noted.
     Otherwise,  the settings are for the entire system. Any res-
     triction based on the perzone  setting  is  noted  for  each
     option to which it applies.


     A non-global zone administrator can  set  all  audit  policy
     options  except   perzone  and  ahlt. perzone and ahlt apply
     only to the global zone; setting these policies requires the
     privileges  of a global zone administrator. perzone and ahlt
     are described under the -setpolicy option, below.

OPTIONS
     -aconf

         Set   the   non-attributable   audit   mask   from   the
         audit_control(4) file. For example:

           # auditconfig -aconf
           Configured non-attributable events.




     -audit event sorf retval string

         This command constructs an audit record for audit  event
         event using the process's audit characteristics contain-
         ing a text token string. The return token is constructed
         from  the  sorf  (success/failure  flag)  and the retval
         (return value). The event is type char*, the sorf is 0/1
         for success/failure, retval is an errno value, string is
         type *char. This command is useful for  constructing  an
         audit  record  with  a  shell script. An example of this
         option:

           # auditconfig -audit AUE_ftpd 0 0 "test string"
           #

           audit record from audit trail:
               header,76,2,ftp access,,Fri Dec 08 08:44:02 2000, + 669 msec
               subject,abc,root,other,root,other,104449,102336,235 197121 elbow
               text,test string
               return,success,0




     -chkaconf

         Checks the configuration of the non-attributable  events
         set    in    the   kernel   against   the   entries   in
         audit_control(4). If the runtime class mask of a  kernel
         audit  event does not match the configured class mask, a
         mismatch is reported.


     -chkconf

         Check the configuration of kernel audit event  to  class
         mappings.  If  the  runtime class mask of a kernel audit
         event does  not  match  the  configured  class  mask,  a
         mismatch is reported.


     -conf

         Configure kernel audit event to class mappings.  Runtime
         class  mappings  are changed to match those in the audit
         event to class database file.


     -getasid

         Prints the audit session ID of the current process.  For
         example:

           # auditconfig -getasid
           audit session id = 102336




     -getaudit

         Returns the audit characteristics of  the  current  pro-
         cess.

           # auditconfig -getaudit
           audit id = abc(666)
           process preselection mask = lo(0x1000,0x1000)
           terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77)
           audit session id = 102336




     -getauid

         Prints the audit ID of the current process. For example:

           # auditconfig -getauid
           audit id = abc(666)




     -getcar

         Prints current active root location (anchored from  root
         [or local zone root] at system boot). For example:

           # auditconfig -getcar
           current active root = /




     -getclass event

         Display the preselection mask associated with the speci-
         fied  kernel  audit  event.  event  is  the kernel event
         number or event name.


     -getcond

         Display  the  kernel  audit  condition.  The   condition
         displayed  is the literal string auditing meaning audit-
         ing is enabled and turned on (the kernel audit module is
         constructing  and queuing audit records); noaudit, mean-
         ing auditing is enabled but turned off (the kernel audit
         module  is  not constructing and queuing audit records);
         disabled, meaning that the audit  module  has  not  been
         enabled;  or nospace, meaning there is no space for sav-
         ing audit records. See  auditon(2)  and  auditd(1M)  for
         further information.

     -getestate event

         For the specified event (string or event number),  print
         out classes event has been assigned. For example:

           # auditconfig -getestate 20
           audit class mask for event AUE_REBOOT(20) = 0x800
           # auditconfig -getestate AUE_RENAME
           audit class mask for event AUE_RENAME(42) = 0x30




     -getkaudit

         Get audit characteristics of the current zone. For exam-
         ple:

           # auditconfig -getkaudit
           audit id = unknown(-2)
           process preselection mask = lo,na(0x1400,0x1400)
           terminal id (maj,min,host) = 0,0,(0.0.0.0)
           audit session id = 0


         If the audit policy perzone is not set, the terminal  id
         is  that of the global zone. Otherwise, it is the termi-
         nal id of the local zone.


     -getkmask

         Get non-attributable pre-selection mask for the  current
         zone. For example:

           # auditconfig -getkmask
           audit flags for non-attributable events = lo,na(0x1400,0x1400)


         If the audit policy perzone is not set, the kernel  mask
         is that of the global zone. Otherwise, it is that of the
         local zone.


     -getpinfo pid

         Display the audit ID, preselection  mask,  terminal  ID,
         and audit session ID for the specified process.


     -getpolicy

         Display the kernel audit policy. The  ahlt  and  perzone
         policies  reflect  the settings from the global zone. If
         perzone is set, all other  policies  reflect  the  local
         zone's settings. If perzone is not set, the policies are
         machine-wide.


     -getcwd

         Prints current working  directory  (anchored  from  zone
         root at system boot). For example:

           # cd /usr/tmp
           # auditconfig -getcwd
           current working directory = /var/tmp




     -getqbufsz

         Get audit queue write buffer size. For example:

           # auditconfig -getqbufsz
                   audit queue buffer size (bytes) = 1024




     -getqctrl

         Get audit queue write buffer size, audit  queue  hiwater
         mark,  audit queue lowater mark, audit queue prod inter-
         val (ticks).

           # auditconfig -getqctrl
           audit queue hiwater mark (records) = 100
           audit queue lowater mark (records) = 10
           audit queue buffer size (bytes) = 1024
           audit queue delay (ticks) = 20




     -getqdelay

         Get interval at which audit queue is  prodded  to  start
         output. For example:

           # auditconfig -getqdelay
           audit queue delay (ticks) = 20

     -getqhiwater

         Get high water point in undelivered audit  records  when
         audit generation will block. For example:

           # ./auditconfig -getqhiwater
           audit queue hiwater mark (records) = 100




     -getqlowater

         Get low water point in undelivered audit  records  where
         blocked processes will resume. For example:

           # auditconfig -getqlowater
           audit queue lowater mark (records) = 10




     -getstat

         Print current audit statistics information. For example:

           # auditconfig -getstat
           gen nona kern  aud  ctl  enq wrtn wblk rblk drop  tot  mem
           910    1  725  184    0  910  910    0  231    0   88   48


         See auditstat(1M) for a description of the  headings  in
         -getstat output.


     -gettid

         Print audit terminal ID for current process.  For  exam-
         ple:

           # auditconfig -gettid
           terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77)




     -lsevent

         Display the currently configured  (runtime)  kernel  and
         user level audit event information.


     -lspolicy

         Display the kernel audit policies with a description  of
         each policy.


     -setasid session-ID [cmd]

         Execute shell or  cmd  with  specified  session-ID.  For
         example:

           # ./auditconfig -setasid 2000 /bin/ksh
           #
           # ./auditconfig -getpinfo 104485
           audit id = abc(666)
           process preselection mask = lo(0x1000,0x1000)
           terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77)
           audit session id = 2000




     -setaudit audit-ID preselect_flags term-ID session-ID [cmd]

         Execute shell or cmd with the  specified  audit  charac-
         teristics.


     -setauid audit-ID [cmd]

         Execute shell or cmd with the specified audit-ID.


     -setclass event audit_flag[,audit_flag ...]

         Map the kernel event event to the classes  specified  by
         audit_flags.  event  is  an  event  number  or  name. An
         audit_flag is a two  character  string  representing  an
         audit  class.  See audit_control(4) for further informa-
         tion. If perzone is not set, this option is  valid  only
         in the global zone.


     -setkaudit IP-address_type IP_address

         Set IP address  of  machine  to  specified  values.  IP-
         address_type is ipv6 or ipv4.

         If perzone is not set, this option is valid only in  the
         global zone.


     -setkmask audit_flags

         Set non-attributes selection flags of machine.

         If perzone is not set, this option is valid only in  the
         global zone.


     -setpmask pid flags

         Set the preselection  mask  of  the  specified  process.
         flags  is  the ASCII representation of the flags similar
         to that in audit_control(4).

         If perzone is not set, this option is valid only in  the
         global zone.


     -setpolicy [+|-]policy_flag[,policy_flag ...]

         Set the kernel audit policy.  A  policy  policy_flag  is
         literal  strings  that denotes an audit policy. A prefix
         of + adds the policies specified to  the  current  audit
         policies.  A  prefix of - removes the policies specified
         from the current audit policies. No policies can be  set
         from a local zone unless the perzone policy is first set
         from the global zone. The following are the valid policy
         flag  strings  (auditconfig  -lspolicy  also  lists  the
         current valid audit policy flag strings):

         all             Include all policies that apply  to  the
                         current zone.


         ahlt            Halt  the  machine  if  an  asynchronous
                         audit   event   occurs  that  cannot  be
                         delivered because the  audit  queue  has
                         reached  the  high-water mark or because
                         there are insufficient resources to con-
                         struct  an  audit  record.  By  default,
                         records are dropped and a count is  kept
                         of the number of dropped records.


         arge            Include   the   execv(2)   system   call
                         environment   arguments   to  the  audit
                         record. This information is not included
                         by default.


         argv            Include the execv(2) system call parame-
                         ter  arguments to the audit record. This
                         information is not included by default.


         cnt             Do  not  suspend  processes  when  audit
                         resources  are  exhausted. Instead, drop
                         audit records and keep a  count  of  the
                         number  of  records dropped. By default,
                         process  are   suspended   until   audit
                         resources become available.


         group           Include the supplementary group token in
                         audit  records.  By  default,  the group
                         token is not included.


         none            Include no policies. If  used  in  other
                         than  the global zone, the ahlt and per-
                         zone policies are not changed.


         path            Add  secondary  path  tokens  to   audit
                         record.  These  are  typically the path-
                         names  of  dynamically   linked   shared
                         libraries  or  command  interpreters for
                         shell scripts. By default, they are  not
                         included.


         perzone         Maintain separate configuration, queues,
                         and  logs  for  each  zone and execute a
                         separate version of auditd(1M) for  each
                         zone.


         public          Audit public files.  By  default,  read-
                         type operations are not audited for cer-
                         tain files  which  meet  public  charac-
                         teristics:  owned  by  root, readable by
                         all, and not writable by all.


         trail           Include the trailer token in every audit
                         record. By default, the trailer token is
                         not included.


         seq             Include the sequence token  as  part  of
                         every  audit  record.  By  default,  the
                         sequence  token  is  not  included.  The
                         sequence   token   attaches  a  sequence
                         number to every audit record.

         windata_down    Include in an  audit  record  any  down-
                         graded  data moved between windows. This
                         policy is available only if  the  system
                         is  configured  with Trusted Extensions.
                         By  default,  this  information  is  not
                         included.


         windata_up      Include in an audit record any  upgraded
                         data  moved between windows. This policy
                         is available only if the system is  con-
                         figured   with  Trusted  Extensions.  By
                         default,   this   information   is   not
                         included.


         zonename        Include the zonename token  as  part  of
                         every  audit  record.  By  default,  the
                         zonename  token  is  not  included.  The
                         zonename  token  gives  the  name of the
                         zone from which  the  audit  record  was
                         generated.



     -setqbufsz buffer_size

         Set the audit queue write buffer size (bytes).


     -setqctrl hiwater lowater bufsz interval

         Set the audit queue write buffer size  (bytes),  hiwater
         audit  record  count,  lowater  audit  record count, and
         wakeup interval (ticks). Valid within a local zone  only
         if perzone is set.


     -setqdelay interval

         Set the audit queue wakeup interval (ticks). This deter-
         mines  the  interval at which the kernel pokes the audit
         queue, to write audit records to the audit trail.  Valid
         within a local zone only if perzone is set.


     -setqhiwater hiwater

         Set the number of undelivered audit records in the audit
         queue  at  which  audit  record generation blocks. Valid
         within a local zone only if perzone is set.

     -setqlowater lowater

         Set the number of undelivered audit records in the audit
         queue at which blocked auditing processes unblock. Valid
         within a local zone only if perzone is set.


     -setsmask asid flags

         Set the preselection mask  of  all  processes  with  the
         specified  audit  session  ID. Valid within a local zone
         only if perzone is set.


     -setstat

         Reset audit statistics counters. Valid  within  a  local
         zone only if perzone is set.


     -setumask auid flags

         Set the preselection mask  of  all  processes  with  the
         specified  audit  ID.  Valid within a local zone only if
         perzone is set.


EXAMPLES
     Example 1 Using auditconfig


     The following is an example of an auditconfig program:


       #
       # map kernel audit event number 10 to the "fr" audit class
       #
       % auditconfig -setclass 10 fr

       #
       # turn on inclusion of exec arguments in exec audit records
       #
       % auditconfig -setpolicy +argv



EXIT STATUS
     0    Successful completion.


     1    An error occurred.

FILES
     /etc/security/audit_event    Stores event  definitions  used
                                  in the audit system.


     /etc/security/audit_class    Stores class  definitions  used
                                  in the audit system.


ATTRIBUTES
     See attributes(5) for descriptions of the  following  attri-
     butes:



     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | Availability                | SUNWcsu                     |
    |_____________________________|_____________________________|
    | Interface Stability         | Committed                   |
    |_____________________________|_____________________________|


SEE ALSO
     audit(1M),    auditd(1M),    auditstat(1M),     bsmconv(1M),
     praudit(1M),     auditon(2),    execv(2),    audit_class(4),
     audit_control(4),       audit_event(4),       attributes(5),
     audit_binfile(5)


     See the section on Solaris Auditing in System Administration
     Guide: Security Services.

NOTES
     If plugin output is  selected  using  audit_control(4),  the
     behavior  of  the system with respect to the -setpolicy +cnt
     and the -setqhiwater options is modified slightly. If  -set-
     policy  +cnt  is  set,  data will continue to be sent to the
     selected plugin, even though output to the binary audit  log
     is stopped, pending the freeing of disk space. If -setpolicy
     -cnt is used, the blocking behavior is  as  described  under
     OPTIONS,  above. The value set for the queue high water mark
     is used within auditd as the default  value  for  its  queue
     limits  unless overridden by means of the qsize attribute as
     described in audit_control(4).


     The auditconfig options that modify or display process-based
     information  are  not  affected by the perzone policy. Those
     that modify system audit data such as the  terminal  id  and
     audit  queue  parameters  are valid only in the global zone,
     unless the perzone policy is set. The display  of  a  system
     audit  reflects the local zone if perzone is set. Otherwise,
     it reflects the settings of the global zone.


     The -setcond option  has  been  removed.  Use  audit(1M)  to
     enable or disable auditing.


     The -getfsize and -setfsize options have been  removed.  Use
     audit_binfile(5) p_fsize to set the audit file size.










Man pages from Solaris 10 Update 8. See docs.sun.com and www.oracle.com for further documentation and Solaris information.
Comments