Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   3690 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

auditmask(8)							  auditmask(8)

Name
       auditmask - get or set auditmasks

Syntax
       auditmask [ option ...  ] [ event[:succeed:fail]

Description
       The  command  with  no arguments displays the system-calls and trusted-
       events currently being audited for the  system,	and  displays  whether
       they  are being audited under successful or failed occurrences or both.
       The format used for the display is acceptable as input to the command.

       The command with event arguments sets the system-call and trusted-event
       audit  masks  for  the  system.	This is cumulative operation, so it is
       possible to turn on or off audit for one set of events, then turn on or
       off  audit for a second set of events without changing the first set of
       events (except for intersection between the two	sets).	 Command  line
       arguments  to  can  include  one	 or more events, each with an optional
       field :succeed:fail, where succeed is either 0 to specify  no  auditing
       of successful occurrences of event, or 1 (or any non-zero character) to
       specify auditing of successful occurrences of event; and fail is either
       0  to  specify  no auditing of failed occurrences of event or 1 (or any
       non-zero character) to specify auditing of failed occurrences of event.
       The  event  name is the system-call name or the trusted-event name (see
       audit.h ).

       The command will also accept redirected input, which can be the	output
       of a previously issued command.	This is a file which contains lines of
       the format event [succeed][fail].  If the keyword succeed  is  present,
       successful  occurrences	of  that event will be audited; if the keyword
       fail is present, failed occurrences of that event will be  audited;  if
       both are present, successful and failed occurrences will be audited; if
       neither keyword is present, that event will not be audited.

       The auditmask command can also be used to set the audit	style  charac‐
       teristics  of  the  audit subsystem.  These characteristics control how
       much information is recorded on exec operations.

       The command is used in to initialize the auditmask at boot time accord‐
       ing to the file This makes use of privileged operations within the sys‐
       tem call.

Options
       -f	   Turns on full auditing  for	the  system.   This  list  may
		   include  events  which have no symbolic name and are repre‐
		   sented only by a number (reserved for  future  use);	 these
		   events  will	 not be audited, despite their presence in the
		   auditmask.

       -n	   Turns off all auditing for the system.

       -s aud_style
		   An aud_style of "exec_argp" enables	the  auditing  of  the
		   argument   list   to	  an  or  syscall.   An	 aud_style  of
		   "exec_envp" enables the auditing of the environment strings
		   to an or syscall.

See Also
       audcntl(2)

								  auditmask(8)

Vote for polarhome