2 .\" Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved
3 .\" Copyright 2015, Joyent, Inc. All Rights Reserved
4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
5 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
6 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
7 .TH AUDITCONFIG 1M "Jan 28, 2015"
9 auditconfig \- configure auditing
13 \fBauditconfig\fR \fIoption\fR...
18 \fBauditconfig\fR provides a command line interface to get and set kernel audit
22 This functionality is available only if the Solaris Auditing feature has been
23 enabled. See \fBbsmconv\fR(1M) for more information.
26 The setting of the \fBperzone\fR policy determines the scope of the audit
27 setting controlled by \fBauditconfig\fR. If \fBperzone\fR is set, then the
28 values reflect the local zone except as noted. Otherwise, the settings are for
29 the entire system. Any restriction based on the \fBperzone\fR setting is noted
30 for each option to which it applies.
33 A non-global zone administrator can set all audit policy options except
34 \fBperzone\fR and \fBahlt\fR. \fBperzone\fR and \fBahlt\fR apply only to the
35 global zone; setting these policies requires the privileges of a global zone
36 administrator. \fBperzone\fR and \fBahlt\fR are described under the
37 \fB-setpolicy\fR option, below.
45 Set the non-attributable audit mask from the \fBaudit_control\fR(4) file. For
51 Configured non-attributable events.
61 \fB\fB-audit\fR \fIevent\fR \fIsorf\fR \fIretval\fR \fIstring\fR\fR
65 This command constructs an audit record for audit event \fIevent\fR using the
66 process's audit characteristics containing a text token \fIstring\fR. The
67 return token is constructed from the \fIsorf\fR (success/failure flag) and the
68 \fIretval\fR (return value). The event is type \fBchar*\fR, the \fIsorf\fR is
69 0/1 for success/failure, \fIretval\fR is an errno value, \fIstring\fR is type
70 \fB*char\fR. This command is useful for constructing an audit record with a
71 shell script. An example of this option:
75 # auditconfig -audit AUE_ftpd 0 0 "test string"
78 audit record from audit trail:
79 header,76,2,ftp access,,Fri Dec 08 08:44:02 2000, + 669 msec
80 subject,abc,root,other,root,other,104449,102336,235 197121 elbow
96 Checks the configuration of the non-attributable events set in the kernel
97 against the entries in \fBaudit_control\fR(4). If the runtime class mask of a
98 kernel audit event does not match the configured class mask, a mismatch is
109 Check the configuration of kernel audit event to class mappings. If the runtime
110 class mask of a kernel audit event does not match the configured class mask, a
111 mismatch is reported.
121 Configure kernel audit event to class mappings. Runtime class mappings are
122 changed to match those in the audit event to class database file.
132 Prints the audit session ID of the current process. For example:
136 # auditconfig -getasid
137 audit session id = 102336
147 \fB\fB-getaudit\fR\fR
151 Returns the audit characteristics of the current process.
155 # auditconfig -getaudit
157 process preselection mask = lo(0x1000,0x1000)
158 terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77)
159 audit session id = 102336
173 Prints the audit ID of the current process. For example:
177 # auditconfig -getauid
192 Prints current active root location (anchored from root [or local zone root] at
193 system boot). For example:
197 # auditconfig -getcar
198 current active root = /
208 \fB\fB-getclass\fR \fIevent\fR\fR
212 Display the preselection mask associated with the specified kernel audit event.
213 \fIevent\fR is the kernel event number or event name.
223 Display the kernel audit condition. The condition displayed is the literal
224 string \fBauditing\fR meaning auditing is enabled and turned on (the kernel
225 audit module is constructing and queuing audit records); \fBnoaudit\fR, meaning
226 auditing is enabled but turned off (the kernel audit module is not constructing
227 and queuing audit records); \fBdisabled\fR, meaning that the audit module has
228 not been enabled; or \fBnospace\fR, meaning there is no space for saving audit
229 records. See \fBauditon\fR(2) and \fBauditd\fR(1M) for further information.
239 Prints current working directory (anchored from zone root at system boot). For
245 # auditconfig -getcwd
246 current working directory = /var/tmp
255 \fB\fB-getestate\fR \fIevent\fR\fR
259 For the specified event (string or event number), print out classes \fIevent\fR
260 has been assigned. For example:
264 # auditconfig -getestate 20
265 audit class mask for event AUE_REBOOT(20) = 0x800
266 # auditconfig -getestate AUE_RENAME
267 audit class mask for event AUE_RENAME(42) = 0x30
276 \fB\fB-getflags\fR\fR
280 Display the current active and configured user default audit flags. For
285 # auditconfig -getflags
286 active user default audit flags = no(0x0,0x0)
287 configured user default audit flags = ex,lo(0x40001000,0x40001000)
295 \fB\fB-getkaudit\fR\fR
299 Get audit characteristics of the current zone. For example:
303 # auditconfig -getkaudit
304 audit id = unknown(-2)
305 process preselection mask = lo,na(0x1400,0x1400)
306 terminal id (maj,min,host) = 0,0,(0.0.0.0)
312 If the audit policy \fBperzone\fR is not set, the terminal id is that of the
313 global zone. Otherwise, it is the terminal id of the local zone.
319 \fB\fB-getkmask\fR\fR
323 Get non-attributable pre-selection mask for the current zone. For example:
327 # auditconfig -getkmask
328 audit flags for non-attributable events = lo,na(0x1400,0x1400)
333 If the audit policy \fBperzone\fR is not set, the kernel mask is that of the
334 global zone. Otherwise, it is that of the local zone.
340 \fB\fB-getnaflags\fR\fR
344 Display the current active and configured non-attributable audit flags. For
349 # auditconfig -getnaflags
350 active non-attributable audit flags = no(0x0,0x0)
351 configured non-attributable audit flags = lo(0x1000,0x1000)
359 \fB\fB-getpinfo\fR \fIpid\fR\fR
363 Display the audit ID, preselection mask, terminal ID, and audit session ID for
364 the specified process.
370 \fB\fB-getplugin\fR [\fIplugin\fR]\fR
374 Display the currently installed plugins and their attributes. If \fIplugin\fR is
375 specified, \fB-getplugin\fR only shows information for that \fIplugin\fR. For
380 # auditconfig -getplugin
381 Plugin: audit_binfile (active)
382 Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=0;
384 Plugin: audit_syslog (inactive)
385 Attributes: p_flags=;
387 Plugin: audit_remote (inactive)
388 Attributes: p_hosts=;p_retries=3;p_timeout=5;
396 \fB\fB-getpolicy\fR\fR
400 Display the kernel audit policy. The \fBahlt\fR and \fBperzone\fR policies
401 reflect the settings from the global zone. If \fBperzone\fR is set, all other
402 policies reflect the local zone's settings. If \fBperzone\fR is not set, the
403 policies are machine-wide.
409 \fB\fB-getqbufsz\fR\fR
413 Get audit queue write buffer size. For example:
417 # auditconfig -getqbufsz
418 audit queue buffer size (bytes) = 1024
428 \fB\fB-getqctrl\fR\fR
432 Get audit queue write buffer size, audit queue \fBhiwater\fR mark, audit queue
433 \fBlowater\fR mark, audit queue \fBprod\fR interval (ticks).
437 # auditconfig -getqctrl
438 audit queue hiwater mark (records) = 100
439 audit queue lowater mark (records) = 10
440 audit queue buffer size (bytes) = 1024
441 audit queue delay (ticks) = 20
451 \fB\fB-getqdelay\fR\fR
455 Get interval at which audit queue is prodded to start output. For example:
459 # auditconfig -getqdelay
460 audit queue delay (ticks) = 20
470 \fB\fB-getqhiwater\fR\fR
474 Get high water point in undelivered audit records when audit generation will
479 # ./auditconfig -getqhiwater
480 audit queue hiwater mark (records) = 100
490 \fB\fB-getqlowater\fR\fR
494 Get low water point in undelivered audit records where blocked processes will
499 # auditconfig -getqlowater
500 audit queue lowater mark (records) = 10
514 Print current audit statistics information. For example:
518 # auditconfig -getstat
519 gen nona kern aud ctl enq wrtn wblk rblk drop tot mem
520 910 1 725 184 0 910 910 0 231 0 88 48
525 See \fBauditstat\fR(1M) for a description of the headings in \fB-getstat\fR
536 Print audit terminal ID for current process. For example:
540 # auditconfig -gettid
541 terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77)
555 Display the currently configured (runtime) kernel and user level audit event
562 \fB\fB-lspolicy\fR\fR
566 Display the kernel audit policies with a description of each policy.
572 \fB\fB-setasid\fR \fIsession-ID\fR [\fIcmd\fR]\fR
576 Execute shell or \fIcmd\fR with specified \fIsession-ID\fR. For example:
580 # ./auditconfig -setasid 2000 /bin/ksh
582 # ./auditconfig -getpinfo 104485
584 process preselection mask = lo(0x1000,0x1000)
585 terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77)
586 audit session id = 2000
596 \fB\fB-setaudit\fR \fIaudit-ID\fR \fIpreselect_flags\fR \fIterm-ID\fR
597 \fIsession-ID\fR [\fIcmd\fR]\fR
601 Execute shell or \fIcmd\fR with the specified audit characteristics.
607 \fB\fB-setauid\fR \fIaudit-ID\fR [\fIcmd\fR]\fR
611 Execute shell or \fIcmd\fR with the specified \fIaudit-ID\fR.
617 \fB\fB-setclass\fR \fIevent audit_flag\fR[\fI,audit_flag .\|.\|.\fR]\fR
621 Map the kernel event \fIevent\fR to the classes specified by \fIaudit_flags\fR.
622 \fIevent\fR is an event number or name. An \fIaudit_flag\fR is a two character
623 string representing an audit class. See \fBaudit_control\fR(4) for further
624 information. If \fBperzone\fR is not set, this option is valid only in the
631 \fB\fB-setflags\fR \fIaudit_flags\fR\fR
635 Sets the user default audit flags. For example, to set execute and login
636 auditing for all users:
640 # auditconfig -setflags ex,lo
641 user default audit flags = ex,lo(0x40001000,0x40001000)
649 \fB\fB-setkaudit\fR \fIIP-address_type\fR \fIIP_address\fR\fR
653 Set IP address of machine to specified values. \fIIP-address_type\fR is
654 \fBipv6\fR or \fBipv4\fR.
656 If \fBperzone\fR is not set, this option is valid only in the global zone.
662 \fB\fB-setkmask\fR \fIaudit_flags\fR\fR
666 Set non-attributes selection flags of machine.
668 If \fBperzone\fR is not set, this option is valid only in the global zone.
674 \fB\fB-setnaflags\fR \fIaudit_flags\fR\fR
678 Sets the non-attributable audit flags. For example:
682 # auditconfig -setnaflags lo
683 non-attributable audit flags = lo(0x1000,0x1000)
691 \fB\fB-setplugin\fR \fIname active\fR|\fIinactive\fR [\fIattributes\fR [\fIqsize\fR]]\fR
695 Configures a plugin's attributes. For example:
699 # auditconfig -setplugin audit_syslog active
707 \fB\fB-setpmask\fR \fIpid flags\fR\fR
711 Set the preselection mask of the specified process. \fBflags\fR is the ASCII
712 representation of the flags similar to that in \fBaudit_control\fR(4).
714 If \fBperzone\fR is not set, this option is valid only in the global zone.
721 [\fI+\fR|\fI-\fR]\fIpolicy_flag\fR[\fI,policy_flag ...\fR]\fR
725 Set the kernel audit policy. A policy \fIpolicy_flag\fR is literal strings that
726 denotes an audit policy. A prefix of \fB+\fR adds the policies specified to the
727 current audit policies. A prefix of \fB-\fR removes the policies specified from
728 the current audit policies. No policies can be set from a local zone unless the
729 \fBperzone\fR policy is first set from the global zone. The following are the
730 valid policy flag strings (\fBauditconfig\fR \fB-lspolicy\fR also lists the
731 current valid audit policy flag strings):
738 Include all policies that apply to the current zone.
747 Panic is called and the system dumps core if an asynchronous audit event occurs
748 that cannot be delivered because the audit queue has reached the high-water
749 mark or because there are insufficient resources to construct an audit record.
750 By default, records are dropped and a count is kept of the number of dropped
760 Include the \fBexecv\fR(2) system call environment arguments to the audit
761 record. This information is not included by default.
770 Include the \fBexecv\fR(2) system call parameter arguments to the audit record.
771 This information is not included by default.
780 Do not suspend processes when audit resources are exhausted. Instead, drop
781 audit records and keep a count of the number of records dropped. By default,
782 process are suspended until audit resources become available.
791 Include the supplementary group token in audit records. By default, the group
792 token is not included.
801 Include no policies. If used in other than the global zone, the \fBahlt\fR and
802 \fBperzone\fR policies are not changed.
811 Add secondary path tokens to audit record. These are typically the pathnames of
812 dynamically linked shared libraries or command interpreters for shell scripts.
813 By default, they are not included.
822 Maintain separate configuration, queues, and logs for each zone and execute a
823 separate version of \fBauditd\fR(1M) for each zone.
832 Audit public files. By default, read-type operations are not audited for
833 certain files which meet \fBpublic\fR characteristics: owned by root, readable
834 by all, and not writable by all.
843 Include the trailer token in every audit record. By default, the trailer token
853 Include the sequence token as part of every audit record. By default, the
854 sequence token is not included. The sequence token attaches a sequence number
855 to every audit record.
861 \fB\fBwindata_down\fR\fR
864 Include in an audit record any downgraded data moved between windows. This
865 policy is available only if the system is configured with Trusted Extensions.
866 By default, this information is not included.
872 \fB\fBwindata_up\fR\fR
875 Include in an audit record any upgraded data moved between windows. This policy
876 is available only if the system is configured with Trusted Extensions. By
877 default, this information is not included.
886 Include the \fBzonename\fR token as part of every audit record. By default, the
887 \fBzonename\fR token is not included. The \fBzonename\fR token gives the name
888 of the zone from which the audit record was generated.
896 \fB\fB-setqbufsz\fR \fIbuffer_size\fR\fR
900 Set the audit queue write buffer size (bytes).
906 \fB\fB-setqctrl\fR \fIhiwater\fR \fIlowater\fR \fIbufsz\fR \fIinterval\fR\fR
910 Set the audit queue write buffer size (bytes), hiwater audit record count,
911 lowater audit record count, and wakeup interval (ticks). Valid within a local
912 zone only if \fBperzone\fR is set.
918 \fB\fB-setqdelay\fR \fIinterval\fR\fR
922 Set the audit queue wakeup interval (ticks). This determines the interval at
923 which the kernel pokes the audit queue, to write audit records to the audit
924 trail. Valid within a local zone only if \fBperzone\fR is set.
930 \fB\fB-setqhiwater\fR \fIhiwater\fR\fR
934 Set the number of undelivered audit records in the audit queue at which audit
935 record generation blocks. Valid within a local zone only if \fBperzone\fR is
942 \fB\fB-setqlowater\fR \fIlowater\fR\fR
946 Set the number of undelivered audit records in the audit queue at which blocked
947 auditing processes unblock. Valid within a local zone only if \fBperzone\fR is
954 \fB\fB-setsmask\fR \fIasid flags\fR\fR
958 Set the preselection mask of all processes with the specified audit session ID.
959 Valid within a local zone only if \fBperzone\fR is set.
969 Reset audit statistics counters. Valid within a local zone only if
970 \fBperzone\fR is set.
976 \fB\fB-setumask\fR \fIauid flags\fR\fR
980 Set the preselection mask of all processes with the specified audit ID. Valid
981 within a local zone only if \fBperzone\fR is set.
986 \fBExample 1 \fRUsing \fBauditconfig\fR
989 The following is an example of an \fBauditconfig\fR program:
995 # map kernel audit event number 10 to the "fr" audit class
997 % auditconfig -setclass 10 fr
1000 # turn on inclusion of exec arguments in exec audit records
1002 % auditconfig -setpolicy +argv
1013 Successful completion.
1028 \fB\fB/etc/security/audit_event\fR\fR
1031 Stores event definitions used in the audit system.
1037 \fB\fB/etc/security/audit_class\fR\fR
1040 Stores class definitions used in the audit system.
1045 See \fBattributes\fR(5) for descriptions of the following attributes:
1053 ATTRIBUTE TYPE ATTRIBUTE VALUE
1055 Interface Stability Committed
1060 \fBaudit\fR(1M), \fBauditd\fR(1M), \fBauditstat\fR(1M), \fBbsmconv\fR(1M),
1061 \fBpraudit\fR(1M), \fBauditon\fR(2), \fBexecv\fR(2), \fBaudit_class\fR(4),
1062 \fBaudit_control\fR(4), \fBaudit_event\fR(4), \fBattributes\fR(5),
1063 \fBaudit_binfile\fR(5)
1066 See the section on Solaris Auditing in \fISystem Administration Guide: Security
1070 If plugin output is selected using \fBaudit_control\fR(4), the behavior of the
1071 system with respect to the \fB-setpolicy\fR \fB+cnt\fR and the
1072 \fB-setqhiwater\fR options is modified slightly. If \fB-setpolicy\fR \fB+cnt\fR
1073 is set, data will continue to be sent to the selected plugin, even though
1074 output to the binary audit log is stopped, pending the freeing of disk space.
1075 If \fB-setpolicy\fR \fB-cnt\fR is used, the blocking behavior is as described
1076 under OPTIONS, above. The value set for the queue high water mark is used
1077 within \fBauditd\fR as the default value for its queue limits unless overridden
1078 by means of the \fBqsize\fR attribute as described in \fBaudit_control\fR(4).
1081 The \fBauditconfig\fR options that modify or display process-based information
1082 are not affected by the \fBperzone\fR policy. Those that modify system audit
1083 data such as the terminal id and audit queue parameters are valid only in the
1084 global zone, unless the \fBperzone\fR policy is set. The display of a system
1085 audit reflects the local zone if \fBperzone\fR is set. Otherwise, it reflects
1086 the settings of the global zone.
1089 The \fB-setcond\fR option has been removed. Use \fBaudit\fR(1M) to enable or
1093 The \fB-getfsize\fR and \fB-setfsize\fR options have been removed. Use
1094 \fBaudit_binfile\fR(5) \fBp_fsize\fR to set the audit file size.