| 
        audcntl - audit control
        #include <sys/audit.h>
       audcntl(
               int request,
               char *argp,
               int len,
               int flag,
               uid_t audit_id,
               pid_t pid );
       The  audcntl  system  call  provides  control  over  flags
       offered by the audit subsystem. All requests, except where
       otherwise   noted,  are  privileged.  The  following  list
       describes the requests: The system auditmask  (along  with
       the  process auditmask) determines which system events are
       logged.  GET_SYS_AMASK copies the system auditmask into  a
       buffer  pointed  to  by argp.  SET_SYS_AMASK copies from a
       buffer pointed to by argp into the system auditmask.  Each
       of  these  operations  returns  the number of bytes transferred
 between the user's buffer and  the  auditmask.  The
       len  argument is the size of the user's buffer. The amount
       of data moved between the auditmask and the user's  buffer
       is  the smaller of the auditmask size and the buffer size.
       The trusted auditmask (along with the  process  auditmask)
       determines    which    trusted    events    are    logged.
       GET_TRUSTED_AMASK copies  the  trusted  auditmask  into  a
       buffer  pointed to by argp.  SET_TRUSTED_AMASK copies from
       a buffer pointed to by argp into  the  trusted  auditmask.
       Each  of  these  operations  returns  the  number of bytes
       transferred between the user's buffer and  the  auditmask.
       The  len  argument  is the size of the user's buffer.  The
       amount of data moved between the auditmask and the  user's
       buffer is the smaller of the auditmask size and the buffer
       size.  The process auditmask determines  (along  with  the
       system  masks)  which system events and trusted events are
       logged for the current process.  GET_PROC_AMASK copies the
       process  auditmask  into a buffer pointed to by argp.  The
       size of the process auditmask is AUDIT_MASK_LEN, and  contains
  a  syscall  mask  followed by a trusted event mask.
       SET_PROC_AMASK copies the values from a buffer pointed  to
       by  argp  into the process auditmask. Each of these operations
 returns the number of bytes transferred between  the
       user's  buffer  and the auditmask.  Len is the size of the
       user's buffer. The amount of data moved between the auditmask
 and the user's buffer is the smaller of the auditmask
       size and the  buffer  size.   GET_PROC_ACNTL  returns  the
       audit control flags (the audcntl flag) of the current process
 (see audit.h). Audit control flags determine  whether
       auditing  for the process is on or off, and if on, how the
       system and process auditmask  are  combined.  A  value  of
       AUDIT_OFF indicates audit is off for that process. A value
       of AUDIT_AND or AUDIT_OR indicates that a logical AND or a
       logical  OR  of  the process and the system auditmasks has
       been performed. A value of AUDIT_USR indicates the process
       auditmask  is  used for that process; the system auditmask
       is ignored.  SET_PROC_ACNTL  assigns  the  values  of  the
       audit  control  flags  from  flag and returns the previous
       values of the audit control flags.  GET_AUDSWITCH  returns
       the  value of the system audit switch. A return value of 1
       indicates auditing is turned on.  A value  of  zero  indicates
  auditing  is turned off.  SET_AUDSWITCH assigns the
       value of flag to the system audit switch and  returns  the
       previous  audit  switch value. A value of 1 turns auditing
       on.  A value of zero turns auditing off.  Flushes the kernel
  audit  buffer to /dev/audit. In a cluster, /dev/audit
       is a CDSL (context dependent  symbolic  link).   Not  supported.
   The system auditing style supports various flags
       to control how much additional information is recorded  in
       some audited operations.  GET_AUDSTYLE returns the current
       value of the system audstyle flag.  SET_AUDSTYLE sets  the
       system audstyle flag to the value of flag, and returns the
       previous value of the audstyle  flag.   A  flag  value  of
       AUD_EXEC_ARGP enables the auditing of the argument list to
       the exec system  calls.  A  flag  value  of  AUD_EXEC_ENVP
       enables  the  auditing  of  the environment strings to the
       exec system calls.  AUD_LOGIN_UNAME enables  the  auditing
       of  the  username  in records for failed login attempts. A
       logical OR can be performed on flag values.  The site mask
       determines   which   site-defined   events   are   logged.
       GET_SITEMASK copies the site mask into a buffer pointed at
       by  argp.  SET_SITEMASK copies from a buffer pointed at by
       argp into the site mask. Each of these operations  returns
       the  number of bytes transferred between the user's buffer
       and the site mask. The len argument is  the  size  of  the
       user's  buffer.  The amount of data moved between the site
       mask and the user's buffer is the smaller of the site mask
       size  and the buffer size.  Update the auditmask flag, the
       audcntl flag, or both for the specified process or set  of
       processes.  The argp parameter contains the new auditmask;
       len is the size of the user's buffer.  A len  value  of  0
       will  not  modify  the target process' auditmask. The flag
       parameter, if not -1, contains the new audcntl flag.   The
       process  ID (pid), if not 0, specifies the target process.
       The audit_id parameter, if not AUID_INVAL,  specifies  the
       set  of  all  processes  with  that  audit_id.   GET_HABITAT_EVENT
 gets the "habitat/system call" name  and  auditmask
  bits  for  a  specified system call number. The flag
       parameter is the system call number.  The  argp  parameter
       points  to a user buffer of size len into which the "habitat/system
 call" name is placed. The return value  is  the
       auditmask  bits,  which indicate whether successful occurrences,
 failed occurrences, or both of  this  system  call
       are logged.  SET_HABITAT_EVENT sets the auditmask bits for
       the specified "habitat/system call" name. The argp parameter
  points  to  a user buffer of size len which specifies
       the habitat name and system call name (for  example,  SystemV/unlink).
  The  flag  parameter is the new setting for
       the auditmask bits for this system call. Note  that  these
       flags  apply  only  to system calls in the alternate habitats.
  Returns the number of site events currently allowed
       on  the system. This number is determined by the sysconfig
       sec parameter audit_site_events.  Returns the base size of
       an  audit  data  buffer.  This number is determined by the
       sysconfig sec parameter audit_buffer_size.  Gets  or  sets
       an  object's  selection and deselection flags.  The object
       is named by argp. For  SET_OBJAUDBIT,  the  flag  argument
       specifies   AUD_SELECT   and/or   AUD_DESELECT   (see  the
       "<sys/audit.h>" file).  Copies the process  auditmask  for
       the  process  specified  by the pid argument into a buffer
       pointed to by argp. The len argument is the  size  of  the
       user's buffer. The amount of data moved between the auditmask
 and the user's buffer is the smaller of the auditmask
       size  and  the  buffer  size.   This operation returns the
       number of bytes copied out to the  user  buffer.   Returns
       the  audit control flags (the audcntl flag) of the process
       specified by the pid parameter.
       The values returned for  successful  calls  can  be  found
       under the description of the specific call request.
       If a call fails, a -1 is returned.
       The audcntl call fails under the following conditions: The
       argp argument contains an invalid address.  The user  does
       not  have the privileges needed to perform this operation.
       The value of the len, request,  or  audit_id  argument  is
       invalid.   Insufficient memory to accommodate site mask or
       property list operation.  Indicates an attempt  to  use  a
       system  call  that  is  not configured.  The filesystem is
       read-only; property lists cannot be set.  The  argp  argument
  contains an invalid address.  The specified pid does
       not exist.  With  GET_OBJAUDBIT  specified,  indicates  an
       invalid property list entry.
       Commands: auditconfig(8), dxaudit(8X)
       Security
                                                       audcntl(2)
[ Back ] |