audcntl(2)audcntl(2)Nameaudcntl - audit control
Syntax
#include <sys/audit.h>
audcntl(request, argp, len, flag, audit_id)
int request;
char *argp;
int len;
int flag;
audit_ID_t audit_id;
Description
The system call provides control over options offered by the audit sub‐
system. All requests, except where noted otherwise, are privileged.
The following list describes the requests:
GET_SYS_AMASK and SET_SYS_AMASK
The system auditmask determines which system events are logged.
GET_SYS_AMASK copies the system auditmask into a buffer pointed
at by argp. SET_SYS_AMASK copies from a buffer pointed at by
argp into the system auditmask. Each of these operations
returns the number of bytes transferred between the user's buf‐
fer and the auditmask. Len is the size of the user's buffer.
The amount of data moved between the auditmask and the user's
buffer is the smaller of the auditmask size and the buffer size.
GET_TRUSTED_AMASK and SET_TRUSTED_AMASK
The trusted auditmask determines which trusted events are
logged. GET_TRUSTED_AMASK copies the trusted auditmask into a
buffer pointed at by argp. SET_TRUSTED_AMASK copies from a buf‐
fer pointed at by argp into the trusted auditmask. Each of these
operations returns the number of bytes transferred between the
user's buffer and the auditmask. Len is the size of the user's
buffer. The amount of data moved between the auditmask and the
user's buffer is the smaller of the auditmask size and the buf‐
fer size.
GET_PROC_AMASK and SET_PROC_AMASK
The process auditmask determines (along with the system masks)
which system events and trusted events are logged for the cur‐
rent process. GET_PROC_AMASK copies the process auditmask into
a buffer pointed at by argp. The size of the process auditmask
is SYSCALL_MASK_LEN+TRUSTED_MASK_LEN, and contains a syscall
mask followed by a trusted event mask. SET_PROC_AMASK copies
the values from a buffer pointed at by argp into the process
auditmask. Each of these operations returns the number of bytes
transferred between the user's buffer and the auditmask. Len is
the size of the user's buffer. The amount of data moved between
the auditmask and the user's buffer is the smaller of the audit‐
mask size and the buffer size.
GET_PROC_ACNTL and SET_PROC_ACNTL
GET_PROC_ACNTL returns the audit control flags (the audcntl
byte) of the current process (see ). Audit control flags deter‐
mine whether auditing for the process is on or off, and if on,
how the auditmasks are combined. A value of AUDIT_OFF indicates
audit is off for that process. A value of AUDIT_AND or AUDIT_OR
indicates the process auditmask is logically AND'ed or OR'ed
with the system auditmask. A value of AUDIT_USR indicates the
process auditmask is used for that process; the system auditmask
is ignored. SET_PROC_ACNTL assigns the values of the audit con‐
trol flags from flag and returns the previous values of the
flags.
GET_AUDSWITCH and SET_AUDSWITCH
GET_AUDSWITCH returns the value of the system audit switch. A
return value of 1 indicates auditing is turned on. A value of
zero indicates auditing is turned off. SET_AUDSWITCH assigns
the value of flag to the system audit switch and returns the
previous audit switch value. A value of 1 turns auditing on. A
value of zero turns auditing off.
FLUSH_AUD_BUF
Flushes the kernel audit buffer out to
GETPAID and SETPAID
GETPAID returns the audit ID of the calling process. The GET‐
PAID request does not require privilege. SETPAID assigns the
value of audit_id to the process audit ID. SETPAID is effective
only if audit_id is greater than 0.
GET_AUDSTYLE and SET_AUDSTYLE
The system auditing style supports two options to control how
much additional information is recorded on exec operations.
GET_AUDSTYLE returns the current value of the system audstyle
flag. SET_AUDSTYLE sets the system audstyle flag to the value
of flag, and returns the previous value of the audstyle flag. A
flag value of AUD_EXEC_ARGP enables the auditing of the argument
list to an execv or execve syscall. A flag value of
AUD_EXEC_ENVP enables the auditing of the environment strings to
an execv or execve syscall. Flag values may be OR'ed together.
Return Values
The values returned for successful calls can be found under the
description of the specific call request.
If a call fails, a -1 is returned.
Diagnostics
The call fails under the following conditions:
[EFAULT] The argp argument contains an invalid address.
[EACCES] The user does not have the privileges needed to perform
this operation.
[EINVAL] The value of the len or request or audit_id argument is
invalid.
[EPERM] The user is not privileged to get or set the audit ID,
or the user attempted to get the audit ID when it was
not set.
[EOPNOTSUPP] The request argument contains an unsupported operation.
See Also
Security Guide for Administrators
Guide to Languages and Programming
audcntl(2)
