auditon — configure system audit parameters
auditon(int cmd, void *data, u_int length);
The auditon() system call is used to manipulate various audit control
operations. The data argument should point to a structure whose type
depends on the command. The length argument specifies the size of *data
in bytes. The cmd argument may be any of the following:
A_SETPOLICY Set audit policy flags. The data argument must point to
a int value set to one or more the following audit
policy control values bitwise OR'ed together: AUDIT_CNT,
AUDIT_AHLT, AUDIT_ARGV, and AUDIT_ARGE. If AUDIT_CNT is
set, the system will continue even if it becomes low on
space and discontinue logging events until the low space
condition is remedied. If it is not set, audited events
will block until the low space condition is remedied.
Unaudited events, however, are unaffected. If
AUDIT_AHLT is set, a panic(9) if it cannot write an
event to the global audit log file. If AUDIT_ARGV is
set, then the argument list passed to the execve(2)
system call will be audited. If AUDIT_ARGE is set, then
the environment variables passed to the execve(2) system
call will be audited. The default policy is none of the
audit policy control flags set.
A_SETKAUDIT Set the host information. The data argument must point
to a auditinfo_addr_t structure containing the host IP
address information. After setting, audit records that
are created as a result of kernel events will contain
A_SETKMASK Set the kernel preselection masks (success and failure).
The data argument must point to a au_mask_t structure
containing the mask values as defined in <bsm/audit.h>.
These masks are used for non-attributable audit event
preselection. The field am_success specifies which
classes of successful audit events are to be logged to
the audit trail. The field am_failure specifies which
classes of failed audit events are to be logged. The
value of both fields is the bitwise OR'ing of the audit
event classes specified in bsm/audit.h. The various
audit classes are described more fully in
A_SETQCTRL Set kernel audit queue parameters. The data argument
must point to a au_qctrl_t structure (defined in
<bsm/audit.h>) containing the kernel audit queue control
settings: aq_hiwater, aq_lowater, aq_bufsz, aq_delay,
and aq_minfree. The field aq_hiwater defines the
maximum number of audit record entries in the queue used
to store the audit records ready for delivery to disk.
New records are inserted at the tail of the queue and
removed from the head. For new records which would
exceed the high water mark, the calling thread is
inserted into the wait queue, waiting for the audit
queue to have enough space available as defined with the
field aq_lowater. The field aq_bufsz defines the
maximum length of the audit record that can be supplied
with audit(2). The field aq_delay is unused. The field
aq_minfree specifies the minimum amount of free blocks
on the disk device used to store audit records. If the
value of free blocks falls below the configured minimum
amount, the kernel informs the audit daemon about low
disk space. The value is to be specified in percent of
free file system blocks. A value of 0 results in a
disabling of the check. The default and maximum values
(default/maximum) for the audit queue control parameters
aq_hiwater 100/10000 (audit records)
aq_lowater 10/aq_hiwater (audit records)
aq_bufsz 32767/1048576 (bytes)
aq_delay (Not currently used.)
A_SETSTAT Return ENOSYS. (Not implemented.)
A_SETUMASK Return ENOSYS. (Not implemented.)
A_SETSMASK Return ENOSYS. (Not implemented.)
A_SETCOND Set the current auditing condition. The data argument
must point to a int value containing the new audit
condition, one of AUC_AUDITING, AUC_NOAUDIT, or
AUC_DISABLED. If AUC_NOAUDIT is set, then auditing is
temporarily suspended. If AUC_AUDITING is set, auditing
is resumed. If AUC_DISABLED is set, the auditing system
will shutdown, draining all audit records and closing
out the audit trail file.
A_SETCLASS Set the event class preselection mask for an audit
event. The data argument must point to a
au_evclass_map_t structure containing the audit event
and mask. The field ec_number is the audit event and
ec_class is the audit class mask. See audit_event(5) for
more information on audit event to class mapping.
A_SETPMASK Set the preselection masks for a process. The data
argument must point to a auditpinfo_t structure that
contains the given process's audit preselection masks
for both success and failure. The field ap_pid is the
process id of the target process. The field ap_mask
must point to a au_mask_t structure which holds the
preselection masks as described in the A_SETKMASK
A_SETFSIZE Set the maximum size of the audit log file. The data
argument must point to a au_fstat_t structure with the
af_filesz field set to the maximum audit log file size.
A value of 0 indicates no limit to the size.
A_GETCLASS Return the event to class mapping for the designated
audit event. The data argument must point to a
au_evclass_map_t structure. See the A_SETCLASS section
above for more information.
A_GETKAUDIT Get the current host information. The data argument
must point to a auditinfo_addr_t structure.
A_GETPINFO Return the audit settings for a process. The data
argument must point to a auditpinfo_t structure which
will be set to contain ap_auid (the audit ID), ap_mask
(the preselection mask), ap_termid (the terminal ID),
and ap_asid (the audit session ID) of the given target
process. The process ID of the target process is passed
into the kernel using the ap_pid field. See the section
A_SETPMASK above and getaudit(2) for more information.
A_GETPINFO_ADDR Return the extended audit settings for a process. The
data argument must point to a auditpinfo_addr_t
structure which is similar to the auditpinfo_addr_t
structure described above. The exception is the
ap_termid (the terminal ID) field which points to a
au_tid_addr_t structure can hold much a larger terminal
address and an address type. The process ID of the
target process is passed into the kernel using the
ap_pid field. See the section A_SETPMASK above and
getaudit(2) for more information.
A_GETSINFO_ADDR Return the extended audit settings for a session. The
data argument must point to a auditinfo_addr_t
structure. The audit session ID of the target session
is passed into the kernel using the ai_asid field. See
getaudit_addr(2) for more information about the
A_GETKMASK Return the current kernel preselection masks. The data
argument must point to a au_mask_t structure which will
be set to the current kernel preselection masks for non-
A_GETPOLICY Return the current audit policy setting. The data
argument must point to a int value which will be set to
one of the current audit policy flags. The audit policy
flags are described in the A_SETPOLICY section above.
A_GETQCTRL Return the current kernel audit queue control
parameters. The data argument must point to a
au_qctrl_t structure which will be set to the current
kernel audit queue control parameters. See the
A_SETQCTL section above for more information.
A_GETFSIZE Returns the maximum size of the audit log file. The
data argument must point to a au_fstat_t structure. The
af_filesz field will be set to the maximum audit log
file size. A value of 0 indicates no limit to the size.
The af_currsz field will be set to the current audit log
A_GETCWD Return ENOSYS. (Not implemented.)
A_GETCAR Return ENOSYS. (Not implemented.)
A_GETSTAT Return ENOSYS. (Not implemented.)
A_GETCOND Return the current auditing condition. The data
argument must point to a int value which will be set to
the current audit condition, one of AUC_AUDITING,
AUC_NOAUDIT or AUC_DISABLED. See the A_SETCOND section
above for more information.
A_SENDTRIGGER Send a trigger to the audit daemon. The data argument
must point to a int value set to one of the acceptable
trigger values: AUDIT_TRIGGER_LOW_SPACE (low disk space
where the audit log resides), AUDIT_TRIGGER_OPEN_NEW
(open a new audit log file), AUDIT_TRIGGER_READ_FILE
(read the audit_control file),
AUDIT_TRIGGER_CLOSE_AND_DIE (close the current log file
and exit), AUDIT_TRIGGER_NO_SPACE (no disk space left
for audit log file). AUDIT_TRIGGER_ROTATE_USER (request
audit log file rotation). AUDIT_TRIGGER_INITIALIZE
(initialize audit subsystem for Mac OS X only). or
AUDIT_TRIGGER_EXPIRE_TRAILS (request audit log file
Upon successful completion, the value 0 is returned; otherwise the
value -1 is returned and the global variable errno is set to indicate the
The auditon() function will fail if:
[ENOSYS] Returned by options not yet implemented.
[EFAULT] A failure occurred while data transferred to or from
the kernel failed.
[EINVAL] Illegal argument was passed by a system call.
[EPERM] The process does not have sufficient permission to
complete the operation.
The A_SENDTRIGGER command is specific to the FreeBSD and Mac OS X
implementations, and is not present in Solaris.
audit(2), auditctl(2), getaudit(2), getaudit_addr(2), getauid(2),
setaudit(2), setaudit_addr(2), setauid(2), libbsm(3)
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation
for the OpenBSM distribution.
This software was created by McAfee Research, the security research
division of McAfee, Inc., under contract to Apple Computer Inc.
Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
The Basic Security Module (BSM) interface to audit records and audit
event stream format were defined by Sun Microsystems.
This manual page was written by Tom Rhodes ⟨trhodes@FreeBSD.org⟩, Robert
Watson ⟨rwatson@FreeBSD.org⟩, and Wayne Salamon ⟨wsalamon@FreeBSD.org⟩.