System Administration Commands auditconfig(1M)
NAME
auditconfig - configure auditing
SYNOPSIS
auditconfig subcommand...
DESCRIPTION
auditconfig provides a command line interface to get and set
kernel audit parameters. Except for getting or setting the persistent audit service values, this functionality is available only if the Solaris Auditing feature has been enabled. A zero (0) queue value indicates that the system default is in effect. The setting of the perzone policy determines the scope ofthe audit setting controlled by auditconfig. If perzone is
set, then the values reflect the local zone except as noted.Otherwise, the settings are for the entire system. Any res-
triction based on the perzone setting is noted for each option to which it applies.A non-global zone administrator can set all audit policy
options except perzone and ahlt. perzone and ahlt apply only to the global zone; setting these policies requires the privileges of a global zone administrator. perzone and ahltare described under the -setpolicy option, below.
This command is available to administrators who have been granted the Audit Control Rights Profile. OPTIONS The following option is supported:-t
Display or set the values on the running system in addi-
tion to the persistent values of the audit service. This option is available only for the subcommands that list it below.SunOS 5.11 Last change: 30 Aug 2010 1
System Administration Commands auditconfig(1M)
SUB-COMMANDS
-aconf
Set the configured non-attributable audit mask. For
example:# auditconfig -aconf
Configured non-attributable event mask.
-audit event sorf retval string
This command constructs an audit record for audit eventevent using the process's audit characteristics contain-
ing a text token string. The return token is constructed from the sorf (success/failure flag) and the retval (return value). The event is type char*, the sorf is 0/1 for success/failure, retval is an errno value, string is type *char. This command is useful for constructing an audit record with a shell script. An example of this option:# auditconfig -audit AUE_ftpd 0 0 "test string"
#
audit record from audit trail: header,76,2,ftp access,,Fri Dec 08 08:44:02 2000, + 669 msec subject,abc,root,other,root,other,104449,102336,235 197121 elbow text,test string return,success,0-chkaconf
Checks the configuration of the non-attributable events
set in the kernel against the entries configured in theaudit service (-setnaflags). If the active class mask of
a kernel audit event does not match the configured class mask, a mismatch is reported.-chkconf
Check the configuration of kernel audit event to class mappings. If the runtime class mask of a kernel audit event does not match the configured class mask, a mismatch is reported.SunOS 5.11 Last change: 30 Aug 2010 2
System Administration Commands auditconfig(1M)
-conf
Configure kernel audit event to class mappings. Runtime class mappings are changed to match those in the audit event to class database file.-getasid
Prints the audit session ID of the current process. For example:# auditconfig -getasid
audit session id = 102336-getaudit
Returns the audit characteristics of the current pro-
cess.# auditconfig -getaudit
audit id = abc(666) process preselection mask = lo(0x1000,0x1000) terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77) audit session id = 102336-getauid
Prints the audit ID of the current process. For example:# auditconfig -getauid
audit id = abc(666)-getcar
Prints current active root location (anchored from root [or local zone root] at system boot). For example:# auditconfig -getcar
current active root = /SunOS 5.11 Last change: 30 Aug 2010 3
System Administration Commands auditconfig(1M)
-getclass event
Display the preselection mask associated with the speci-
fied kernel audit event. event is the kernel event number or event name.-getcond
Display the kernel audit condition. The conditiondisplayed is the literal string auditing meaning audit-
ing is enabled and turned on (the kernel audit module isconstructing and queuing audit records); noaudit, mean-
ing auditing is enabled but turned off (the kernel audit module is not constructing and queuing audit records); disabled, meaning that the audit module has not beenenabled; or nospace, meaning there is no space for sav-
ing audit records. See auditon(2) and auditd(1M) for further information.-getestate event
For the specified event (string or event number), print out classes event has been assigned. For example:# auditconfig -getestate 20
audit class mask for event AUE_REBOOT(20) = 0x800
# auditconfig -getestate AUE_RENAME
audit class mask for event AUE_RENAME(42) = 0x30
-getflags
Display the user default audit preselection flags.-getkaudit
Get audit characteristics of the current zone. For exam-
ple:# auditconfig -getkaudit
audit id = unknown(-2)
process preselection mask = lo,na(0x1400,0x1400) terminal id (maj,min,host) = 0,0,(0.0.0.0) audit session id = 0 If the audit policy perzone is not set, the terminal idSunOS 5.11 Last change: 30 Aug 2010 4
System Administration Commands auditconfig(1M)
is that of the global zone. Otherwise, it is the termi-
nal id of the local zone.-getkmask
Get non-attributable pre-selection mask for the current
zone. For example:# auditconfig -getkmask
audit flags for non-attributable events = lo,na(0x1400,0x1400)
If the audit policy perzone is not set, the kernel mask is that of the global zone. Otherwise, it is that of the local zone.-getnaflags
Display the non-attributable audit flags.
-getpinfo pid
Display the audit ID, preselection mask, terminal ID, and audit session ID for the specified process.-getplugin [name]
Display information about the plugin name. If name is not specified, display all plugins.[-t] -getpolicy
Display the kernel audit policy. The ahlt and perzone policies reflect the settings from the global zone. If perzone is set, all other policies reflect the local zone's settings. If perzone is not set, the policies aremachine-wide.
-getcwd
Prints current working directory (anchored from zone root at system boot). For example:# cd /usr/tmp
# auditconfig -getcwd
current working directory = /var/tmpSunOS 5.11 Last change: 30 Aug 2010 5
System Administration Commands auditconfig(1M)
[-t] -getqbufsz
Get audit queue write buffer size. For example:# auditconfig -getqbufsz
no configured audit queue size audit queue buffer size (bytes) = 1024[-t] -getqctrl
Get audit queue write buffer size, audit queue hiwatermark, audit queue lowater mark, audit queue prod inter-
val (ticks).# auditconfig -getqctrl
no configured audit queue lowater mark no configured audit queue hiwater mark no configured audit queue size no configured audit queue delay audit queue hiwater mark (records) = 100 audit queue lowater mark (records) = 10 audit queue buffer size (bytes) = 1024 audit queue delay (ticks) = 20# auditconfig -setqbufsz 8192
# auditconfig -t -setqbufsz 12288
# auditconfig -setqdelay 20
# auditconfig -t -setqdelay 25
# auditconfig -getqctrl
no configured audit queue lowater mark no configured audit queue hiwater mark configured audit queue buffer size (bytes) = 8192 configured audit queue delay (ticks) = 20 active audit queue hiwater mark (records) = 100 active audit queue lowater mark (records) = 10 active audit queue buffer size (bytes) = 12288 active audit queue delay (ticks) = 25[-t] -getqdelay
Get interval at which audit queue is prodded to start output. For example:# auditconfig -getqdelay
no configured audit queue delay audit queue delay (ticks) = 20SunOS 5.11 Last change: 30 Aug 2010 6
System Administration Commands auditconfig(1M)
[-t] -getqhiwater
Get high water point in undelivered audit records when audit generation will block. For example:# ./auditconfig -getqhiwater
no configured audit queue hiwater mark audit queue hiwater mark (records) = 100[-t] -getqlowater
Get low water point in undelivered audit records where blocked processes will resume. For example:# auditconfig -getqlowater
no configured audit queue lowater mark audit queue lowater mark (records) = 10-getstat
Print current audit statistics information. For example:# auditconfig -getstat
gen nona kern aud ctl enq wrtn wblk rblk drop tot mem 910 1 725 184 0 910 910 0 231 0 88 48 See auditstat(1M) for a description of the headings in-getstat output.
-gettid
Print audit terminal ID for current process. For exam-
ple:# auditconfig -gettid
terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77)-lsevent
Display the currently configured (runtime) kernel and user level audit event information.SunOS 5.11 Last change: 30 Aug 2010 7
System Administration Commands auditconfig(1M)
-lspolicy
Display the kernel audit policies with a description of each policy.-setasid session-ID [cmd]
Execute shell or cmd with specified session-ID. For
example:# ./auditconfig -setasid 2000 /bin/ksh
#
# ./auditconfig -getpinfo 104485
audit id = abc(666) process preselection mask = lo(0x1000,0x1000) terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77) audit session id = 2000-setaudit audit-ID preselect_flags term-ID session-ID [cmd]
Execute shell or cmd with the specified audit charac-
teristics.-setauid audit-ID [cmd]
Execute shell or cmd with the specified audit-ID.
-setclass event audit_flag[,audit_flag ...]
Map the kernel event event to the classes specified byaudit_flag list. event is an event number or name. An
audit_flag is a character string representing an audit
class. See audit_flags(5) for further information. If
perzone is not set, this option is valid only in the global zone.-setflags audit_flags
Set the default user audit preselection flags; seeaudit_flags(5). The default preselection flags are com-
bined with the user's specific audit flags to form the user's audit preselection mask.SunOS 5.11 Last change: 30 Aug 2010 8
System Administration Commands auditconfig(1M)
-setkaudit IP-address_type IP_address
Set IP address of machine to specified values. IP-
address_type is ipv6 or ipv4.
If perzone is not set, this option is valid only in the global zone.-setkmask audit_flags
Set non-attributable preselection flags of machine.
If perzone is not set, this option is valid only in the global zone.-setnaflags audit_flags
Set the non-attributable audit flags; see
audit_flags(5). Non-attributable audit flags define
which classes of events are to be audited when the action cannot be attributed to an authenticated user.Failed login is an example of an event that is non-
attributable.-setpmask pid flags
Set the preselection mask of the specified process. flags is the ASCII representation of the flags similarto that in audit_flags(5).
If perzone is not set, this option is valid only in the global zone.-setplugin name active | inactive [ attributes [qsize]]
Configure the plugin name to be active or inactive.Optionally configure the attributes and number of unpro-
cessed audit records to queue for the plugin. See the relevant audit plugin man pages and auditd(1M).[-t] -setpolicy [+|-]policy_flag[,policy_flag ...]
Set the kernel audit policy. A policy policy_flag is
literal strings that denotes an audit policy. A prefix of + adds the policies specified to the current auditpolicies. A prefix of - removes the policies specified
from the current audit policies. No policies can be setSunOS 5.11 Last change: 30 Aug 2010 9
System Administration Commands auditconfig(1M)
from a local zone unless the perzone policy is first set from the global zone. The following are the valid policyflag strings (auditconfig -lspolicy also lists the
current valid audit policy flag strings): all Include all policies that apply to the current zone. ahlt Panic is called and the system dumps core if an asynchronous audit event occurs that cannot be delivered becausethe audit queue has reached the high-
water mark or because there are insuffi-
cient resources to construct an audit record. By default, records are dropped and a count is kept of the number of dropped records. arge Include the execv(2) system call environment arguments to the audit record. This information is not included by default.argv Include the execv(2) system call parame-
ter arguments to the audit record. This information is not included by default. cnt Do not suspend processes when audit resources are exhausted. Instead, drop audit records and keep a count of the number of records dropped. By default, process are suspended until audit resources become available. group Include the supplementary group token in audit records. By default, the group token is not included. none Include no policies. If used in otherthan the global zone, the ahlt and per-
zone policies are not changed. path Add secondary path tokens to auditrecord. These are typically the path-
names of dynamically linked sharedSunOS 5.11 Last change: 30 Aug 2010 10
System Administration Commands auditconfig(1M)
libraries or command interpreters for shell scripts. By default, they are not included. perzone Maintain separate configuration, queues, and logs for each zone and execute a separate version of auditd(1M) for each zone.public Audit public files. By default, read-
type operations are not audited for cer-
tain files which meet public charac-
teristics: owned by root, readable by all, and not writable by all. trail Include the trailer token in every audit record. By default, the trailer token is not included. seq Include the sequence token as part of every audit record. By default, the sequence token is not included. The sequence token attaches a sequence number to every audit record.windata_down Include in an audit record any down-
graded data moved between windows. This policy is available only if the system is configured with Trusted Extensions. By default, this information is not included.windata_up Include in an audit record any upgraded
data moved between windows. This policyis available only if the system is con-
figured with Trusted Extensions. By default, this information is not included. zonename Include the zonename token as part of every audit record. By default, the zonename token is not included. The zonename token gives the name of the zone from which the audit record was generated.SunOS 5.11 Last change: 30 Aug 2010 11
System Administration Commands auditconfig(1M)
[-t] -setqbufsz buffer_size
Set the audit queue write buffer size (bytes). Zero (0), indicates reset to no configured value.[-t] -setqctrl hiwater lowater bufsz interval
Set the audit queue write buffer size (bytes), hiwater audit record count, lowater audit record count, and wakeup interval (ticks). Valid within a local zone onlyif perzone is set. Zero (0), indicates reset to no con-
figured value.[-t] -setqdelay interval
Set the audit queue wakeup interval (ticks). This deter-
mines the interval at which the kernel pokes the audit queue, to write audit records to the audit trail. Valid within a local zone only if perzone is set. Zero (0), indicates reset to no configured value.[-t] -setqhiwater hiwater
Set the number of undelivered audit records in the audit queue at which audit record generation blocks. Valid within a local zone only if perzone is set. Zero (0), indicates reset to no configured value.[-t] -setqlowater lowater
Set the number of undelivered audit records in the audit queue at which blocked auditing processes unblock. Valid within a local zone only if perzone is set. Zero (0), indicates reset to no configured value.-setsmask asid flags
Set the preselection mask of all processes with the specified audit session ID. Valid within a local zone only if perzone is set.-setstat
Reset audit statistics counters. Valid within a local zone only if perzone is set.SunOS 5.11 Last change: 30 Aug 2010 12
System Administration Commands auditconfig(1M)
-setumask auid flags
Set the preselection mask of all processes with the specified audit ID. Valid within a local zone only if perzone is set.EXAMPLES
Example 1 Using auditconfig
The following is an example of an auditconfig command:
#
# map kernel audit event number 10 to the "fr" audit class
#
% auditconfig -setclass 10 fr
#
# turn on inclusion of exec arguments in exec audit records
#
% auditconfig -setpolicy +argv
Example 2 Setting Only the Number of Unprocessed Audit Records The following sequence of commands sets only the number ofunprocessed audit records to queue for the audit_binfile
plugin:#
# see if audit_binfile is active
#
% auditconfig -getplugin audit_binfile
#
# set to queue 20 unprocessed audit records
#
% auditconfig -setplugin active "" 20
EXIT STATUS 0 Successful completion.SunOS 5.11 Last change: 30 Aug 2010 13
System Administration Commands auditconfig(1M)
1 An error occurred. FILES/etc/security/audit_event Stores event definitions used
in the audit system./etc/security/audit_class Stores class definitions used
in the audit system.ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWcs ||_____________________________|_____________________________|
| Interface Stability | Committed ||_____________________________|_____________________________|
SEE ALSO
audit(1M), auditd(1M), auditstat(1M), praudit(1M), audi-
ton(2), execv(2), au_user_mask(3BSM), audit_class(4),
audit_event(4), attributes(5), audit_binfile(5),
audit_flags(5), audit_remote(5), audit_syslog(5)
See the section on Solaris Auditing in System Administration Guide: Security Services. NOTESIf plugin output is selected using the -setplugin option,
the behavior of the system with respect to the -setpolicy
+cnt and the -setqhiwater options is modified slightly. If
-setpolicy +cnt is set, data will continue to be sent to the
selected plugin, even though output of the audit_binary plu-
gin is stopped, pending the freeing of disk space. If -set-
policy -cnt is used, the blocking behavior is as described
under SUBCOMMANDS, above. The queue high water mark value is used within auditd as the upper bound for its queue limits unless overridden by means of the qsize attribute, asdescribed in the explanation of the -setplugin option,
above.SunOS 5.11 Last change: 30 Aug 2010 14
System Administration Commands auditconfig(1M)
The auditconfig options that modify or display process-based
information are not affected by the perzone policy. Those that modify system audit data such as the terminal id and audit queue parameters are valid only in the global zone, unless the perzone policy is set. The display of a system audit reflects the local zone if perzone is set. Otherwise, it reflects the settings of the global zone.The change to plugins (-setplugin) settings do not take
effect (such as becoming active or inactive, or changing theactive attribute or queue size values) until the audit ser-
vice is refreshed. Use audit(1M) to refresh the audit ser-
vice.SunOS 5.11 Last change: 30 Aug 2010 15