audcntl(2)audcntl(2)NAMEaudcntl - audit control
SYNOPSIS
#include <sys/audit.h>
audcntl(
int request,
char *argp,
int len,
int flag,
uid_t audit_id,
pid_t pid );
DESCRIPTION
The audcntl system call provides control over flags offered by the
audit subsystem. All requests, except where otherwise noted, are privi‐
leged. The following list describes the requests: The system auditmask
(along with the process auditmask) determines which system events are
logged. GET_SYS_AMASK copies the system auditmask into a buffer
pointed to by argp. SET_SYS_AMASK copies from a buffer pointed to by
argp into the system auditmask. Each of these operations returns the
number of bytes transferred between the user's buffer and the audit‐
mask. The len argument is the size of the user's buffer. The amount of
data moved between the auditmask and the user's buffer is the smaller
of the auditmask size and the buffer size. The trusted auditmask
(along with the process auditmask) determines which trusted events are
logged. GET_TRUSTED_AMASK copies the trusted auditmask into a buffer
pointed to by argp. SET_TRUSTED_AMASK copies from a buffer pointed to
by argp into the trusted auditmask. Each of these operations returns
the number of bytes transferred between the user's buffer and the
auditmask. The len argument is the size of the user's buffer. The
amount of data moved between the auditmask and the user's buffer is the
smaller of the auditmask size and the buffer size. The process audit‐
mask determines (along with the system masks) which system events and
trusted events are logged for the current process. GET_PROC_AMASK
copies the process auditmask into a buffer pointed to by argp. The
size of the process auditmask is AUDIT_MASK_LEN, and contains a syscall
mask followed by a trusted event mask. SET_PROC_AMASK copies the val‐
ues from a buffer pointed to by argp into the process auditmask. Each
of these operations returns the number of bytes transferred between the
user's buffer and the auditmask. Len is the size of the user's buffer.
The amount of data moved between the auditmask and the user's buffer is
the smaller of the auditmask size and the buffer size. GET_PROC_ACNTL
returns the audit control flags (the audcntl flag) of the current
process (see audit.h). Audit control flags determine whether auditing
for the process is on or off, and if on, how the system and process
auditmask are combined. A value of AUDIT_OFF indicates audit is off for
that process. A value of AUDIT_AND or AUDIT_OR indicates that a logical
AND or a logical OR of the process and the system auditmasks has been
performed. A value of AUDIT_USR indicates the process auditmask is used
for that process; the system auditmask is ignored. SET_PROC_ACNTL
assigns the values of the audit control flags from flag and returns the
previous values of the audit control flags. GET_AUDSWITCH returns the
value of the system audit switch. A return value of 1 indicates audit‐
ing is turned on. A value of zero indicates auditing is turned off.
SET_AUDSWITCH assigns the value of flag to the system audit switch and
returns the previous audit switch value. A value of 1 turns auditing
on. A value of zero turns auditing off. Flushes the kernel audit buf‐
fer to /dev/audit. In a cluster, /dev/audit is a CDSL (context depen‐
dent symbolic link). Not supported. The system auditing style sup‐
ports various flags to control how much additional information is
recorded in some audited operations. GET_AUDSTYLE returns the current
value of the system audstyle flag. SET_AUDSTYLE sets the system aud‐
style flag to the value of flag, and returns the previous value of the
audstyle flag. A flag value of AUD_EXEC_ARGP enables the auditing of
the argument list to the exec system calls. A flag value of
AUD_EXEC_ENVP enables the auditing of the environment strings to the
exec system calls. AUD_LOGIN_UNAME enables the auditing of the user‐
name in records for failed login attempts. A logical OR can be per‐
formed on flag values. The site mask determines which site-defined
events are logged. GET_SITEMASK copies the site mask into a buffer
pointed at by argp. SET_SITEMASK copies from a buffer pointed at by
argp into the site mask. Each of these operations returns the number of
bytes transferred between the user's buffer and the site mask. The len
argument is the size of the user's buffer. The amount of data moved
between the site mask and the user's buffer is the smaller of the site
mask size and the buffer size. Update the auditmask flag, the audcntl
flag, or both for the specified process or set of processes. The argp
parameter contains the new auditmask; len is the size of the user's
buffer. A len value of 0 will not modify the target process' audit‐
mask. The flag parameter, if not -1, contains the new audcntl flag.
The process ID (pid), if not 0, specifies the target process. The
audit_id parameter, if not AUID_INVAL, specifies the set of all pro‐
cesses with that audit_id. GET_HABITAT_EVENT gets the "habitat/system
call" name and auditmask bits for a specified system call number. The
flag parameter is the system call number. The argp parameter points to
a user buffer of size len into which the "habitat/system call" name is
placed. The return value is the auditmask bits, which indicate whether
successful occurrences, failed occurrences, or both of this system call
are logged. SET_HABITAT_EVENT sets the auditmask bits for the speci‐
fied "habitat/system call" name. The argp parameter points to a user
buffer of size len which specifies the habitat name and system call
name (for example, SystemV/unlink). The flag parameter is the new set‐
ting for the auditmask bits for this system call. Note that these flags
apply only to system calls in the alternate habitats. Returns the num‐
ber of site events currently allowed on the system. This number is
determined by the sysconfig sec parameter audit_site_events. Returns
the base size of an audit data buffer. This number is determined by
the sysconfig sec parameter audit_buffer_size. Gets or sets an
object's selection and deselection flags. The object is named by argp.
For SET_OBJAUDBIT, the flag argument specifies AUD_SELECT and/or
AUD_DESELECT (see the "<sys/audit.h>" file). Copies the process audit‐
mask for the process specified by the pid argument into a buffer
pointed to by argp. The len argument is the size of the user's buffer.
The amount of data moved between the auditmask and the user's buffer is
the smaller of the auditmask size and the buffer size. This operation
returns the number of bytes copied out to the user buffer. Returns the
audit control flags (the audcntl flag) of the process specified by the
pid parameter.
RETURN VALUES
The values returned for successful calls can be found under the
description of the specific call request.
If a call fails, a -1 is returned.
ERRORS
The audcntl call fails under the following conditions: The argp argu‐
ment contains an invalid address. The user does not have the privi‐
leges needed to perform this operation. The value of the len, request,
or audit_id argument is invalid. Insufficient memory to accommodate
site mask or property list operation. Indicates an attempt to use a
system call that is not configured. The filesystem is read-only; prop‐
erty lists cannot be set. The argp argument contains an invalid
address. The specified pid does not exist. With GET_OBJAUDBIT speci‐
fied, indicates an invalid property list entry.
SEE ALSO
Commands: auditconfig(8), dxaudit(8X)
Security
audcntl(2)