AUDITCONFIG(8) Maintenance Commands and Procedures AUDITCONFIG(8)

NAME


auditconfig - configure auditing

SYNOPSIS


auditconfig option...


DESCRIPTION


auditconfig provides a command line interface to get and set kernel
audit parameters.


The setting of the perzone policy determines the scope of the audit
setting controlled by auditconfig. If perzone is set, then the values
reflect the local zone except as noted. Otherwise, the settings are
for the entire system. Any restriction based on the perzone setting
is noted for each option to which it applies.


A non-global zone administrator can set all audit policy options
except perzone and ahlt. perzone and ahlt apply only to the global
zone; setting these policies requires the privileges of a global zone
administrator. perzone and ahlt are described under the -setpolicy
option, below.

OPTIONS


-aconf

Set the non-attributable audit mask to the value set using the
-setnaflags option. For example:

# auditconfig -aconf
Configured non-attributable event mask.


-audit event sorf retval string

This command constructs an audit record for audit event event
using the process's audit characteristics containing a text token
string. The return token is constructed from the sorf
(success/failure flag) and the retval (return value). The event
is type char*, the sorf is 0/1 for success/failure, retval is an
errno value, string is type *char. This command is useful for
constructing an audit record with a shell script. An example of
this option:

# auditconfig -audit AUE_ftpd 0 0 "test string"
#

audit record from audit trail:
header,76,2,ftp access,,Fri Dec 08 08:44:02 2000, + 669 msec
subject,abc,root,other,root,other,104449,102336,235 197121 elbow
text,test string
return,success,0


-chkaconf

Checks that the current non-attributable event flags set in the
kernel matches the configuration. If the runtime class mask of a
kernel audit event does not match the configured class mask, a
mismatch is reported.


-chkconf

Check the configuration of kernel audit event to class mappings.
If the runtime class mask of a kernel audit event does not match
the configured class mask, a mismatch is reported.


-conf

Configure kernel audit event to class mappings. Runtime class
mappings are changed to match those in the audit event to class
database file.


-getasid

Prints the audit session ID of the current process. For example:

# auditconfig -getasid
audit session id = 102336


-getaudit

Returns the audit characteristics of the current process.

# auditconfig -getaudit
audit id = abc(666)
process preselection mask = lo(0x1000,0x1000)
terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77)
audit session id = 102336


-getauid

Prints the audit ID of the current process. For example:

# auditconfig -getauid
audit id = abc(666)


-getcar

Prints current active root location (anchored from root [or local
zone root] at system boot). For example:

# auditconfig -getcar
current active root = /


-getclass event

Display the preselection mask associated with the specified
kernel audit event. event is the kernel event number or event
name.


-getcond

Display the kernel audit condition. The condition displayed is
the literal string auditing meaning auditing is enabled and
turned on (the kernel audit module is constructing and queuing
audit records); noaudit, meaning auditing is enabled but turned
off (the kernel audit module is not constructing and queuing
audit records); or nospace, meaning there is no space for saving
audit records. See auditon(2) and auditd(8) for further
information.


-getcwd

Prints current working directory (anchored from zone root at
system boot). For example:

# cd /usr/tmp
# auditconfig -getcwd
current working directory = /var/tmp


-getestate event

For the specified event (string or event number), print out
classes event has been assigned. For example:

# auditconfig -getestate 20
audit class mask for event AUE_REBOOT(20) = 0x800
# auditconfig -getestate AUE_RENAME
audit class mask for event AUE_RENAME(42) = 0x30


-getflags

Display the current active and configured user default audit
flags. For example:

# auditconfig -getflags
active user default audit flags = no(0x0,0x0)
configured user default audit flags = ex,lo(0x40001000,0x40001000)


-getkaudit

Get audit characteristics of the current zone. For example:

# auditconfig -getkaudit
audit id = unknown(-2)
process preselection mask = lo,na(0x1400,0x1400)
terminal id (maj,min,host) = 0,0,(0.0.0.0)
audit session id = 0


If the audit policy perzone is not set, the terminal id is that
of the global zone. Otherwise, it is the terminal id of the local
zone.


-getkmask

Get non-attributable pre-selection mask for the current zone. For
example:

# auditconfig -getkmask
audit flags for non-attributable events = lo,na(0x1400,0x1400)


If the audit policy perzone is not set, the kernel mask is that
of the global zone. Otherwise, it is that of the local zone.


-getnaflags

Display the current active and configured non-attributable audit
flags. For example:

# auditconfig -getnaflags
active non-attributable audit flags = no(0x0,0x0)
configured non-attributable audit flags = lo(0x1000,0x1000)


-getpinfo pid

Display the audit ID, preselection mask, terminal ID, and audit
session ID for the specified process.


-getplugin [plugin]

Display the currently installed plugins and their attributes. If
plugin is specified, -getplugin only shows information for that
plugin. For example:

# auditconfig -getplugin
Plugin: audit_binfile (active)
Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=0;

Plugin: audit_syslog (inactive)
Attributes: p_flags=;

Plugin: audit_remote (inactive)
Attributes: p_hosts=;p_retries=3;p_timeout=5;


-getpolicy

Display the kernel audit policy. The ahlt and perzone policies
reflect the settings from the global zone. If perzone is set, all
other policies reflect the local zone's settings. If perzone is
not set, the policies are machine-wide.


-getqbufsz

Get audit queue write buffer size. For example:

# auditconfig -getqbufsz
audit queue buffer size (bytes) = 1024


-getqctrl

Get audit queue write buffer size, audit queue hiwater mark,
audit queue lowater mark, audit queue prod interval (ticks).

# auditconfig -getqctrl
audit queue hiwater mark (records) = 100
audit queue lowater mark (records) = 10
audit queue buffer size (bytes) = 1024
audit queue delay (ticks) = 20


-getqdelay

Get interval at which audit queue is prodded to start output. For
example:

# auditconfig -getqdelay
audit queue delay (ticks) = 20


-getqhiwater

Get high water point in undelivered audit records when audit
generation will block. For example:

# auditconfig -getqhiwater
audit queue hiwater mark (records) = 100


-getqlowater

Get low water point in undelivered audit records where blocked
processes will resume. For example:

# auditconfig -getqlowater
audit queue lowater mark (records) = 10


-getstat

Print current audit statistics information. For example:

# auditconfig -getstat
gen nona kern aud ctl enq wrtn wblk rblk drop tot mem
910 1 725 184 0 910 910 0 231 0 88 48


See auditstat(8) for a description of the headings in -getstat
output.


-gettid

Print audit terminal ID for current process. For example:

# auditconfig -gettid
terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77)


-lsevent

Display the currently configured (runtime) kernel and user level
audit event information.


-lspolicy

Display the kernel audit policies with a description of each
policy.


-setasid session-ID [cmd]

Execute shell or cmd with specified session-ID. For example:

# auditconfig -setasid 2000 /bin/ksh
#
# auditconfig -getpinfo 104485
audit id = abc(666)
process preselection mask = lo(0x1000,0x1000)
terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77)
audit session id = 2000


-setaudit audit-ID preselect_flags term-ID session-ID [cmd]

Execute shell or cmd with the specified audit characteristics.


-setauid audit-ID [cmd]

Execute shell or cmd with the specified audit-ID.


-setclass event audit_flag[,audit_flag ...]

Map the kernel event event to the classes specified by
audit_flags. event is an event number or name. An audit_flag is
a two character string representing an audit class. If perzone is
not set, this option is valid only in the global zone.


-setflags audit_flags

Sets the user default audit flags. For example, to set execute
and login auditing for all users:

# auditconfig -setflags ex,lo
user default audit flags = ex,lo(0x40001000,0x40001000)


-setkaudit IP-address_type IP_address

Set IP address of machine to specified values. IP-address_type is
ipv6 or ipv4.

If perzone is not set, this option is valid only in the global
zone.


-setkmask audit_flags

Set non-attributes selection flags of machine.

If perzone is not set, this option is valid only in the global
zone.


-setnaflags audit_flags

Sets the non-attributable audit flags. For example:

# auditconfig -setnaflags lo
non-attributable audit flags = lo(0x1000,0x1000)


-setplugin name active|inactive [attributes [qsize]]

Configures a plugin's attributes. For example:

# auditconfig -setplugin audit_syslog active


-setpmask pid flags

Set the preselection mask of the specified process.

If perzone is not set, this option is valid only in the global
zone.


-setpolicy [+|-]policy_flag[,policy_flag ...]

Set the kernel audit policy. A policy policy_flag is literal
strings that denotes an audit policy. A prefix of + adds the
policies specified to the current audit policies. A prefix of -
removes the policies specified from the current audit policies.
No policies can be set from a local zone unless the perzone
policy is first set from the global zone. The following are the
valid policy flag strings (auditconfig -lspolicy also lists the
current valid audit policy flag strings):

all
Include all policies that apply to the current
zone.


ahlt
Panic is called and the system dumps core if an
asynchronous audit event occurs that cannot be
delivered because the audit queue has reached the
high-water mark or because there are insufficient
resources to construct an audit record. By
default, records are dropped and a count is kept
of the number of dropped records.


arge
Include the execv(2) system call environment
arguments to the audit record. This information
is not included by default.


argv
Include the execv(2) system call parameter
arguments to the audit record. This information
is not included by default.


cnt
Do not suspend processes when audit resources are
exhausted. Instead, drop audit records and keep a
count of the number of records dropped. By
default, process are suspended until audit
resources become available.


group
Include the supplementary group token in audit
records. By default, the group token is not
included.


none
Include no policies. If used in other than the
global zone, the ahlt and perzone policies are
not changed.


path
Add secondary path tokens to audit record. These
are typically the pathnames of dynamically linked
shared libraries or command interpreters for
shell scripts. By default, they are not
included.


perzone
Maintain separate configuration, queues, and logs
for each zone and execute a separate version of
auditd(8) for each zone.


public
Audit public files. By default, read-type
operations are not audited for certain files
which meet public characteristics: owned by root,
readable by all, and not writable by all.


trail
Include the trailer token in every audit record.
By default, the trailer token is not included.


seq
Include the sequence token as part of every audit
record. By default, the sequence token is not
included. The sequence token attaches a sequence
number to every audit record.


windata_down
Include in an audit record any downgraded data
moved between windows. This policy is available
only if the system is configured with Trusted
Extensions. By default, this information is not
included.


windata_up
Include in an audit record any upgraded data
moved between windows. This policy is available
only if the system is configured with Trusted
Extensions. By default, this information is not
included.


zonename
Include the zonename token as part of every audit
record. By default, the zonename token is not
included. The zonename token gives the name of
the zone from which the audit record was
generated.


-setqbufsz buffer_size

Set the audit queue write buffer size (bytes).


-setqctrl hiwater lowater bufsz interval

Set the audit queue write buffer size (bytes), hiwater audit
record count, lowater audit record count, and wakeup interval
(ticks). Valid within a local zone only if perzone is set.


-setqdelay interval

Set the audit queue wakeup interval (ticks). This determines the
interval at which the kernel pokes the audit queue, to write
audit records to the audit trail. Valid within a local zone only
if perzone is set.


-setqhiwater hiwater

Set the number of undelivered audit records in the audit queue at
which audit record generation blocks. Valid within a local zone
only if perzone is set.


-setqlowater lowater

Set the number of undelivered audit records in the audit queue at
which blocked auditing processes unblock. Valid within a local
zone only if perzone is set.


-setsmask asid flags

Set the preselection mask of all processes with the specified
audit session ID. Valid within a local zone only if perzone is
set.


-setstat

Reset audit statistics counters. Valid within a local zone only
if perzone is set.


-setumask auid flags

Set the preselection mask of all processes with the specified
audit ID. Valid within a local zone only if perzone is set.


EXAMPLES


Example 1: Using auditconfig




The following is an example of an auditconfig program:


#
# map kernel audit event number 10 to the "fr" audit class
#
% auditconfig -setclass 10 fr

#
# turn on inclusion of exec arguments in exec audit records
#
% auditconfig -setpolicy +argv


EXIT STATUS


0
Successful completion.


1
An error occurred.


FILES


/etc/security/audit_event
Stores event definitions used in the
audit system.


/etc/security/audit_class
Stores class definitions used in the
audit system.


ATTRIBUTES


See attributes(7) for descriptions of the following attributes:


+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|Interface Stability | Committed |
+--------------------+-----------------+

SEE ALSO


auditon(2), execv(2), audit_class(5), audit_event(5), attributes(7),
audit_binfile(7), audit_remote(7), audit_syslog(7), audit(8),
auditd(8), auditstat(8), praudit(8)

NOTES


If the audit_remote or audit_syslog plugins are active, the behavior
of the system with respect to the -setpolicy +cnt and the
-setqhiwater options is modified slightly. If -setpolicy +cnt is set,
data will continue to be sent to the selected plugin, even though
output to the binary audit log is stopped, pending the freeing of
disk space. If -setpolicy -cnt is used, the blocking behavior is as
described under OPTIONS, above. The value set for the queue high
water mark is used within auditd as the default value for its queue
limits unless overridden by means of the qsize attribute.


The auditconfig options that modify or display process-based
information are not affected by the perzone policy. Those that modify
system audit data such as the terminal id and audit queue parameters
are valid only in the global zone, unless the perzone policy is set.
The display of a system audit reflects the local zone if perzone is
set. Otherwise, it reflects the settings of the global zone.


The -setcond option has been removed. Use audit(8) to enable or
disable auditing.


The -getfsize and -setfsize options have been removed. Use
audit_binfile(7) p_fsize to set the audit file size.

March 6, 2017 AUDITCONFIG(8)
tribblix@gmail.com :: GitHub :: Privacy