auditmask - Gets or sets audit masks
/usr/sbin/auditmask [flags] [event[:succeed:fail]] [-e,E
file [args...]] [<event_list]
Sets the audit mask for all processes that have the specified
audit ID (audit_id). By specifying the audit ID of a
user, all processes with the specified audit ID are
audited. The event list specified on the command line
becomes the audit mask for the target processes. Note
that the new events are combined with the current events
for the target process. Executes auditmask on each active
member of the cluster. Any files specified must be visable
to all members in the cluster. Process-specific commands
are not supported across the cluster. Entering auditmask
-cluster prints out each cluster member's audit mask. The
following auditmask options are supported with the -cluster
option and work as follows: Has valid meaning only for
a cluster member that the user is currently logged into.
Not valid if -p is used. With a specified process -f is
not supported with -cluster. Without a specified process,
-f is supported. Supported. With a specified procces -n
is not supported with -cluster. Without a specified procces
-n works as usual across each cluster member. Works
as usual across each cluster member.
The following auditmask options are not supported
with the -cluster option: -e, -E, -p, -q, -Q, -x,
-X, -y-Y. Sets the value of the audit control
flags for the target audit processes. The -coption
can be used only in conjunction with the -a, -e,
-E, or -p options. The audit control flag strings
are as follows: An audit record is generated if
either the system audit mask or the process audit
mask indicates such an event should be audited. An
audit record is generated if both the system audit
mask and the process audit mask indicate such an
event should be audited. No audit records are generated
for the current process. An audit record
gets generated if the process audit mask indicates
such an event should be audited. Turns off or on
all system call auditing for the selected process
(or group of processes if based on login user).
Include the habitat audit events as described in
the /etc/sec/audit_events file. Executes the file
and audits all system calls and trusted events. The
args parameters are the arguments associated with
the program file. This option is useful for debugging.
Executes the file and audits under a specified
audit mask. The args parameters are the arguments
associated with the program file. For example,
auditmask open -e test_prog foo If a process
is specified, sets that process' audit mask to all
events; otherwise, sets the system audit mask to
all events. Displays a brief help message. If a
process is specified, clears that process' audit
mask; otherwise, clears the system audit mask.
When one or more events are provided, sets the
audit mask for a single process specified by pid
and events. The event list specified on the command
line modifies the settings for those events in the
current audit mask of the specified process. If
only -p pid is specified, the events being audited
for the specified pid and the audcntl flag are
returned. The -p option is used to check a suspicious
process in real time. Query status of file
filename for object selection/deselection. Query
status of files in filelist relevant to object
selection/deselection. Sets the audit style characteristics
of the audit subsystem as follows:
Enables the auditing of the argument list to an
execv or execve system call. Enables the auditing
of the environment strings to an execv or execve
system call. Enables recording the command name in
each audit record. The command name is the same
name as that used in the accounting records. This
is the last component of the invoked pathname, and
is restricted to a maximum of 16 characters.
Enables the auditing of the user name in failed
login attempts when the user name is not recognized.
(If the account name for a failed access
attempt is recognized, an entry is always generated
in the audit log.) Enable object selection mode.
Specifying -c obj_sel or -c obj_sel:1 enables the
object selection mode. Specifying -c obj_sel:0 disables
the object selection mode.
The object selection mode provides the ability to
specify a set of files for which selected events
get audited, while those same events on other files
do not get audited. In this mode, audit records get
generated only when an event is selected and either
that event is acting on a selected file or not acting
on any file. The result is that it is now possible,
for example, to audit open's of /etc/passwd
and /.rhosts while not auditing open's of
See the -x and -X options, and the Security manual.
Enable object deselection mode.
Specifying -c obj_desel or -c obj_desel:1 enables
the deselection mode. Specifying -c obj_desel:0
disables the deselection mode.
The file deselection mode provides the ability to
specify a set of files for which specific selected
events do not get audited, while those same events
on other files do get audited.
The events which may be deselected are data access
operations (no data modifications). The set of
events which get deselected is:
open close link access stat lstat
dup revoke readlink fstat dup2 getdirentries
File open's for write or truncate access, however,
do not get deselected.
In this mode, audit records get generated for
selected events, unless all files operated on by
that system call are deselected and the operation
is a data access. So, if you are auditing stat and
unlink, and the file foo is deselected, then a stat
of foo would not be audited, but an unlink of foo
would be audited (the unlink is not a "data access"
The result is that it is now possible, for example,
to not audit accesses to /usr/shlib/libc.so, but
still audit open's of /etc/passwd.
See the -y and -Y options, and the Security manual.
Enable or disable selection on filename. No : or
the presence of a :1 on the end of the argument
enables the action; a :0 disables the action.
Enable or disable selection on the files in the
filelist. No : or the presence of a :1 on the end
of the argument enables the action; a :0 disables
the action. Enable or disable deselection on filename.
No : or the presence of a :1 on the end of
the argument enables the action; a :0 disables the
action. Enable or disable deselection on the files
in the filelist. No : or the presence of a :1 on
the end of the argument enables the action; a :0
disables the action.
The auditmask command is used to: Get or set the system
audit mask and the audit style flag Get or set a process'
audit mask and its audit control flag Execute a process
under a specified audit mask Select or deselect filesystem
The system audit mask contains system calls (default list
is in /etc/sec/audit_events), trusted events (defined in
audit.h), and site-defined events (/etc/sec/site_events).
The system audit mask is set during the setup of the audit
subsystem using the auditconfig script. The system audit
mask can be changed at any time using the auditmask command.
Under enhanced security, when a user logs in to the system,
the authentication databases (/var/tcb/files/auth.db
and /var/tcb/files/auth.db) are read and the login process'
audit characteristics are set according to the
u_auditmask and u_auditcntl entries. This audit mask and
audit control flag are inherited by all spawned processes.
Setting the audit control flag of a process automatically
resets a previous setting of AUDIT_SYSCALL_OFF for that
Getting the System Audit Mask [Toc] [Back]
The auditmask command with no arguments displays the system
calls, trusted events, and site events currently being
audited for the system, and indicates whether they are
being audited under successful or failed occurrences or
both. The format used for the display is acceptable as
input to subsequent auditmask commands.
Setting the System Audit Mask [Toc] [Back]
The auditmask command with event arguments sets the system
call, trusted event, or site event audit masks for the
system audit mask. This is a cumulative operation, so it
is possible to turn on or off audit for one set of events,
then turn on or off audit for a second set of events without
changing the first set of events (except for the
intersection between the two sets). Command line arguments
to auditmask can include one or more events, each
with an optional field :succeed:fail, where succeed is
either 0 to specify no auditing of successful occurrences
of event or 1 to specify auditing of successful occurrences
of event; and fail is either 0 to specify no auditing
of failed occurrences of event or 1 to specify auditing
of failed occurrences of event. The event is one of
the following: A system call name A trusted event name
(see audit.h) A site-defined name in /etc/sec/site_events
An alias defined in /etc/sec/event_aliases
The auditmask command will also accept redirected input,
which can be the output of a previously issued auditmask
command. This is a file containing lines in the following
format: event [succeed] [fail]
If the keyword succeed is present, successful occurrences
of that event will be audited; if the keyword fail is present,
failed occurrences of that event will be audited; if
both are present, successful and failed occurrences will
be audited; if neither keyword is present, that event will
not be audited.
The auditmask command with the -s option is used to set
the audit style characteristics of the audit subsystem.
See the description of the -s option.
Getting and Setting Process' Auditmask
The audit characteristics for a process are made up of the
process auditmask and the audit control flag. The auditmask
command can be used to set or get the audit characteristics
for a specified process. If no audit characteristics
are specified, auditmask gets the process' auditmask
and control flag; if any audit characteristics are
specified, auditmask sets the process' auditmask and/or
the audit control flag.
Processes are specified as follows: A single process using
the -p option A family of processes using the -a option A
new process using the -e or -E option
Site-defined events and habitat system calls can be set
only for the system, as opposed to the processes. See the
habitat_usr selection under the -c control_flag flag.
A program can be executed with a specified auditmask using
the -e or -E options. This can be used to learn more about
the program's behavior. The -e and -E options set the
process audit control flag to AUDIT_USR (unless explicitly
Using Object Selection and Deselection [Toc] [Back]
Object selection and deselection modes provide another
preselection mechanism designed to help administrators
audit specifically those operations of interest to them.
Some events, such as mount and reboot, are operations
affecting system state; other events, such as open and
unlink, are operations which affect specific files. While
all reboot attempts might be security relevant, all file
open's might not be (based on the site security model).
The file object selection/deselection mechanism provides a
further level of granularity for events which operate on
This mechanism can be run in either file selection (audstyle
obj_sel) or file deselection (audstyle obj_desel)
Note that processes with a flag of AUDIT_USR do not have
their auditing reduced through the selection/deselection
Cluster Audit Masks [Toc] [Back]
Each member of a cluster runs with its own auditmask. To
simplify keeping the masks identical, use the -cluster
The command line in the following example returns the
auditmask and audit control flag for process 999: # auditmask
The command line in the following example executes the
my_prog program with the open system call added to its
auditmask and no change to its audit control flag: #
auditmask open -e my_prog
The command line in the following example executes the vi
command on the /etc/motd file with its auditmask set to
audit all system calls and all trusted events, and its
audit control flag set to OR: # auditmask -c or -E vi
[ Back ]