|
ADC Home > Reference Library > Reference > Mac OS X > Mac OS X Man Pages
|
|
This document is a Mac OS X manual page. Manual pages are a command-line technology for providing documentation. You can view these manual pages locally using the man(1) command. These manual pages come from many different sources, and thus, have a variety of writing styles. For more information about the manual page format, see the manual page for manpages(5). |
AUDITON(2) BSD System Calls Manual AUDITON(2)
NAME
auditon -- configure the current audit parameters on the system
SYNOPSIS
#include <bsm/audit.h>
int
auditon(int cmd, void * data, int length);
DESCRIPTION
The auditon() function manipulates various audit parameters. The data
argument points to the appropriate structure from the header file.
Length is the size of the data parameter in bytes. It will typically be
the sizeof the the structure.
PARAMETERS
A_GETPOLICY Get the current audit policy. Data should point to a
long. The policy is the bitwise OR'ing of the appro-priate appropriate
priate flags from bsm/audit.h. If AUDIT_AHLT is set,
the system will kernel panic if it cannot write to the
global audit trail. If AUDIT_CNT is not set and the
system becomes low on space, audited events will block
until the low space condition is remedied. Unaudited
events are unaffected. The other policy flags are not
implemented.
A_SETPOLICY Set the current audit policy. Data should point to a
long specifying the desired audit policy, as described
in A_GETPOLICY.
A_GETKMASK Get the current value of the audit preselection mask
for non-attributable events. Data should point to an
au_mask_t. The field am_success specifies which
classes of successful audit events are to be logged to
the audit trail. The field am_failure specifies which
classes of failed audit events are to be logged. The
value of both fields is the bitwise OR'ing of the
event classes specified in bsm/audit.h. The various
audit classes are described more fully in
audit_class(5).
A_SETKMASK Set the current value of the audit preselection mask
for non-attributable events. Data should point to an
au_mask_t. The masks are defined as described in
A_GETKMASK.
A_GETQCTRL Get the current settings for the audit queue (specify-ing (specifying
ing in kernel buffer size, percentage of free filesys-tem filesystem
tem blocks, and limits to the number of audit records
allowed). Data should point to an au_qctrl_t.
A_SETQCTRL Set the current settings for the audit queue. Data
should point to an au_qctrl_t.
A_GETCOND Gets the current condition of the auditing subsystem.
If the value is AUC_AUDITING, then the audit implemen-tation implementation
tation is currently running. If the value is AUC_NOAU-DIT AUC_NOAUDIT
DIT then the audit implementation is currently turned
off. Data should point to a long.
A_SETCOND Sets the condition of the auditing subsystem. If
AUC_NOAUDIT is set, then auditing is temporarily sus-pended. suspended.
pended. If AUC_AUDITING is set, auditing is resumed.
If AUC_DISABLED is set, the auditing system will shut-down, shutdown,
down, draining all audit records and closing out the
audit trail file. To re-enable auditing, a call to
auditctl is required in addition to setting the condi-tion condition
tion to AUC_AUDITING. Data should point to a long.
A_GETCLASS Returns the audit class for the specified audit event.
Data should point to a au_evclassmap_t.
A_SETCLASS Sets the audit class for the specified audit event.
Data should point to a au_evclassmap_t.
A_GETPINFO Returns the audit information stored in the credential
for the current process. Data should point to a
auditpinfo_t.
A_SETPMASK Sets the audit settings for a process. The audit user
ID, preselection masks for both success and failure,
and terminal IDs must be set. Data should point to a
auditpinfo_t struct.
A_SETFSIZE Set the limit on audit trail file size. File size is
in bytes. The file size specified is treated as an
advisory limit. The system will make a best effort
attempt to rotate log files before they exceed the
requested maximum size, but makes no guarantees on log
file size Data should point to a au_fstat_t struct.
The af_filesz field is used to specify the new file
size, which must be greater than MIN_AUDIT_FILE_SIZE.
A value of 0 indicates no limit on the audit trail's
size. The af_currsz field is ignored. A errno value of
EINVAL indicates a maximum file size that is too
small.
A_GETFSIZE Return the maximum allowable size of the audit trail,
and the current size of the audit trail. Data should
point to a au_fstat_t struct.
A_GETPINFO_ADDR Not implemented, returns ENOSYS.
A_GETKAUDIT Not implemented, returns ENOSYS.
A_SETKAUDIT Not implemented, returns ENOSYS.
RETURN VALUES
Upon successful completion a value of 0 is returned. Otherwise, a value
of -1 is returned and errno is set to indicate the error.
ERRORS
Errors are specific to the operation requested. In addition, rhe
auditon() system call will fail if:
[EINVAL] Length is less than or equal to zero, or if it is
greater than any of the expected structures.
SEE ALSO
audit(2), auditctl(2), getauid(2), setauid(2), getaudit(2), setaudit(2),
getaudit_addr(2), setaudit_addr(2), audit_class(5)
HISTORY
The auditon() function call first appeared in Mac OS X 10.3 (Panther).
Darwin July 30, 2007 Darwin
|