auditmask(8)auditmask(8)Nameauditmask - get or set auditmasks
Syntaxauditmask [ option ... ] [ event[:succeed:fail]
The command with no arguments displays the system-calls and trusted-
events currently being audited for the system, and displays whether
they are being audited under successful or failed occurrences or both.
The format used for the display is acceptable as input to the command.
The command with event arguments sets the system-call and trusted-event
audit masks for the system. This is cumulative operation, so it is
possible to turn on or off audit for one set of events, then turn on or
off audit for a second set of events without changing the first set of
events (except for intersection between the two sets). Command line
arguments to can include one or more events, each with an optional
field :succeed:fail, where succeed is either 0 to specify no auditing
of successful occurrences of event, or 1 (or any non-zero character) to
specify auditing of successful occurrences of event; and fail is either
0 to specify no auditing of failed occurrences of event or 1 (or any
non-zero character) to specify auditing of failed occurrences of event.
The event name is the system-call name or the trusted-event name (see
The command will also accept redirected input, which can be the output
of a previously issued command. This is a file which contains lines of
the format event [succeed][fail]. If the keyword succeed is present,
successful occurrences of that event will be audited; if the keyword
fail is present, failed occurrences of that event will be audited; if
both are present, successful and failed occurrences will be audited; if
neither keyword is present, that event will not be audited.
The auditmask command can also be used to set the audit style charac‐
teristics of the audit subsystem. These characteristics control how
much information is recorded on exec operations.
The command is used in to initialize the auditmask at boot time accord‐
ing to the file This makes use of privileged operations within the sys‐
Options-f Turns on full auditing for the system. This list may
include events which have no symbolic name and are repre‐
sented only by a number (reserved for future use); these
events will not be audited, despite their presence in the
-n Turns off all auditing for the system.
An aud_style of "exec_argp" enables the auditing of the
argument list to an or syscall. An aud_style of
"exec_envp" enables the auditing of the environment strings
to an or syscall.