auditmask man page on DigitalUNIX

Man page or keyword search:  
man Server   12896 pages
apropos Keyword Search (all sections)
Output format
DigitalUNIX logo
[printable version]

auditmask(8)							  auditmask(8)

NAME
       auditmask - Gets or sets audit masks

SYNOPSIS
       /usr/sbin/auditmask     [flags]	 [event[:succeed:fail]]	  [-e,E	  file
       [args...]] [<event_list]

OPTIONS
       Sets the audit mask for all processes that have the specified audit  ID
       (audit_id).  By	specifying  the audit ID of a user, all processes with
       the specified audit ID are audited. The event  list  specified  on  the
       command	line  becomes  the  audit mask for the target processes.  Note
       that the new events are combined with the current events for the target
       process.	  Executes auditmask on each active member of the cluster. Any
       files specified must be visable to all members in the cluster. Process-
       specific commands are not supported across the cluster. Entering audit‐
       mask -cluster prints out each cluster member's audit mask. The  follow‐
       ing  auditmask  options are supported with the -cluster option and work
       as follows: Has valid meaning only for a cluster member that  the  user
       is  currently  logged into.  Not valid if -p is used.  With a specified
       process -f is not supported with -cluster. Without a specified process,
       -f  is  supported.  Supported.  With a specified procces -n is not sup‐
       ported with -cluster. Without a specified procces  -n  works  as	 usual
       across each cluster member.  Works as usual across each cluster member.

	      The  following  auditmask	 options  are  not  supported with the
	      -cluster option: -e, -E, -p, -q, -Q, -x,	-X,  -y-Y.   Sets  the
	      value of the audit control flags for the target audit processes.
	      The -coption can be used only in conjunction with	 the  -a,  -e,
	      -E,  or  -p  options. The audit control flag strings are as fol‐
	      lows: An audit record is generated if either  the	 system	 audit
	      mask or the process audit mask indicates such an event should be
	      audited.	An audit record is generated if both the system	 audit
	      mask and the process audit mask indicate such an event should be
	      audited.	 No  audit  records  are  generated  for  the  current
	      process.	 An  audit  record gets generated if the process audit
	      mask indicates such an event should be audited.  Turns off or on
	      all  system  call auditing for the selected process (or group of
	      processes if based on login user).  Include  the	habitat	 audit
	      events as described in the /etc/sec/audit_events file.  Executes
	      the file and audits all system calls  and	 trusted  events.  The
	      args  parameters	are  the arguments associated with the program
	      file. This option is useful for debugging.   Executes  the  file
	      and audits under a specified audit mask. The args parameters are
	      the arguments associated with the	 program  file.	 For  example,
	      auditmask	 open -e test_prog foo If a process is specified, sets
	      that process' audit mask to all events; otherwise, sets the sys‐
	      tem  audit  mask	to all events.	Displays a brief help message.
	      If a process is specified, clears that process' audit mask; oth‐
	      erwise,  clears  the system audit mask.  When one or more events
	      are provided, sets the audit mask for a single process specified
	      by  pid and events. The event list specified on the command line
	      modifies the settings for those events in the current audit mask
	      of  the  specified  process.  If	only  -p pid is specified, the
	      events being audited for the specified pid and the audcntl  flag
	      are  returned.  The  -p  option  is  used	 to check a suspicious
	      process in real time.  Query status of file filename for	object
	      selection/deselection.   Query status of files in filelist rele‐
	      vant to object  selection/deselection.   Sets  the  audit	 style
	      characteristics  of  the audit subsystem as follows: Enables the
	      auditing of the argument list to an execv or execve system call.
	      Enables  the  auditing of the environment strings to an execv or
	      execve system call.  Enables recording the command name in  each
	      audit  record. The command name is the same name as that used in
	      the accounting records.  This  is	 the  last  component  of  the
	      invoked  pathname,  and is restricted to a maximum of 16 charac‐
	      ters.  Enables the auditing of the user  name  in	 failed	 login
	      attempts	when  the user name is not recognized. (If the account
	      name for a failed access attempt	is  recognized,	 an  entry  is
	      always  generated	 in  the  audit log.)  Enable object selection
	      mode.

	      Specifying -c obj_sel or -c obj_sel:1 enables the object	selec‐
	      tion mode. Specifying -c obj_sel:0 disables the object selection
	      mode.

	      The object selection mode provides the ability to specify a  set
	      of files for which selected events get audited, while those same
	      events on other files do not get audited. In  this  mode,	 audit
	      records  get generated only when an event is selected and either
	      that event is acting on a selected file or  not  acting  on  any
	      file.  The  result  is  that it is now possible, for example, to
	      audit open's of /etc/passwd  and	/.rhosts  while	 not  auditing
	      open's of /tmp/xxxx.

	      See  the	-x  and	 -X  options, and the Security manual.	Enable
	      object deselection mode.

	      Specifying -c obj_desel or -c obj_desel:1 enables	 the  deselec‐
	      tion  mode.  Specifying  -c obj_desel:0 disables the deselection
	      mode.

	      The file deselection mode provides the ability to specify a  set
	      of  files for which specific selected events do not get audited,
	      while those same events on other files do get audited.

	      The events which may be deselected are  data  access  operations
	      (no data modifications).	The set of events which get deselected
	      is:

	      open     close	 link access   stat	 lstat dup	revoke
	      readlink fstat	dup2	  getdirentries read	 lseek

	      File  open's  for	 write or truncate access, however, do not get
	      deselected.

	      In this mode, audit records get generated for  selected  events,
	      unless  all files operated on by that system call are deselected
	      and the operation is a data access.  So,	if  you	 are  auditing
	      stat  and unlink, and the file foo is deselected, then a stat of
	      foo would not be audited, but an unlink of foo would be  audited
	      (the unlink is not a "data access" operation).

	      The result is that it is now possible, for example, to not audit
	      accesses	to  /usr/shlib/libc.so,	 but  still  audit  open's  of
	      /etc/passwd.

	      See  the	-y and -Y options, and the Security manual.  Enable or
	      disable selection on filename.  No : or the presence of a :1  on
	      the  end	of  the argument enables the action; a :0 disables the
	      action.  Enable  or  disable  selection  on  the	files  in  the
	      filelist.	 No  : or the presence of a :1 on the end of the argu‐
	      ment enables the action; a :0 disables the  action.   Enable  or
	      disable  deselection  on filename.  No : or the presence of a :1
	      on the end of the argument enables the action; a :0 disables the
	      action.	Enable	or  disable  deselection  on  the files in the
	      filelist. No : or the presence of a :1 on the end of  the	 argu‐
	      ment enables the action; a :0 disables the action.

DESCRIPTION
       The  auditmask command is used to: Get or set the system audit mask and
       the audit style flag Get or set a process' audit	 mask  and  its	 audit
       control	flag  Execute a process under a specified audit mask Select or
       deselect filesystem objects

       The system audit	 mask  contains	 system	 calls	(default  list	is  in
       /etc/sec/audit_events),	trusted events (defined in audit.h), and site-
       defined events (/etc/sec/site_events).  The system audit	 mask  is  set
       during  the  setup of the audit subsystem using the auditconfig script.
       The system audit mask can be changed at any time	 using	the  auditmask
       command.

       Under enhanced security, when a user logs in to the system, the authen‐
       tication databases (/var/tcb/files/auth.db and  /var/tcb/files/auth.db)
       are read and the login process' audit characteristics are set according
       to the u_auditmask and u_auditcntl entries. This audit mask  and	 audit
       control flag are inherited by all spawned processes.

       Setting the audit control flag of a process automatically resets a pre‐
       vious setting of AUDIT_SYSCALL_OFF for that process.

   Getting the System Audit Mask
       The auditmask command with no  arguments	 displays  the	system	calls,
       trusted events, and site events currently being audited for the system,
       and indicates whether they are being audited under successful or failed
       occurrences  or	both. The format used for the display is acceptable as
       input to subsequent auditmask commands.

   Setting the System Audit Mask
       The auditmask command  with  event  arguments  sets  the	 system	 call,
       trusted	event,	or  site  event audit masks for the system audit mask.
       This is a cumulative operation, so it is possible to  turn  on  or  off
       audit for one set of events, then turn on or off audit for a second set
       of events without changing the first set	 of  events  (except  for  the
       intersection  between  the two sets).  Command line arguments to audit‐
       mask can include one or more events, each with an optional field	 :suc‐
       ceed:fail, where succeed is either 0 to specify no auditing of success‐
       ful occurrences of event or 1 to specify auditing of successful	occur‐
       rences  of event; and fail is either 0 to specify no auditing of failed
       occurrences of event or 1 to specify auditing of failed occurrences  of
       event.  The event is one of the following: A system call name A trusted
       event name (see audit.h) A site-defined name in /etc/sec/site_events An
       alias defined in /etc/sec/event_aliases

       The  auditmask  command will also accept redirected input, which can be
       the output of a previously issued auditmask command.  This  is  a  file
       containing lines in the following format: event [succeed] [fail]

       If the keyword succeed is present, successful occurrences of that event
       will be audited; if the keyword fail is present, failed occurrences  of
       that  event will be audited; if both are present, successful and failed
       occurrences will be audited; if neither keyword is present, that	 event
       will not be audited.

       The auditmask command with the -s option is used to set the audit style
       characteristics of the audit subsystem.	See the description of the  -s
       option.

   Getting and Setting Process' Auditmask
       The  audit  characteristics  for	 a  process are made up of the process
       auditmask and the audit control flag. The auditmask command can be used
       to  set or get the audit characteristics for a specified process. If no
       audit characteristics are specified, auditmask gets the process' audit‐
       mask  and  control  flag;  if  any audit characteristics are specified,
       auditmask sets the process' auditmask and/or the audit control flag.

       Processes are specified as follows:  A  single  process	using  the  -p
       option  A  family  of processes using the -a option A new process using
       the -e or -E option

       Site-defined events and habitat system calls can be set	only  for  the
       system,	as  opposed  to	 the  processes. See the habitat_usr selection
       under the -c control_flag flag.

       A program can be executed with a specified auditmask using the -e or -E
       options.	 This  can be used to learn more about the program's behavior.
       The -e and -E options set the process audit control flag	 to  AUDIT_USR
       (unless explicitly set otherwise).

   Using Object Selection and Deselection
       Object  selection  and  deselection  modes provide another preselection
       mechanism designed to  help  administrators  audit  specifically	 those
       operations of interest to them.

       Some  events, such as mount and reboot, are operations affecting system
       state; other events, such as open  and  unlink,	are  operations	 which
       affect  specific	 files.	  While	 all reboot attempts might be security
       relevant, all file open's might not be  (based  on  the	site  security
       model).	 The  file  object  selection/deselection mechanism provides a
       further level of granularity for events which operate on files.

       This mechanism can be run in either file selection  (audstyle  obj_sel)
       or file deselection (audstyle obj_desel) mode.

       Note that processes with a flag of AUDIT_USR do not have their auditing
       reduced through the selection/deselection mechanism.

   Cluster Audit Masks
       Each member of a cluster runs with its own auditmask. To simplify keep‐
       ing the masks identical, use the -cluster option.

EXAMPLES
       The  command  line  in  the following example returns the auditmask and
       audit control flag for process 999: # auditmask -p 999

       The command line in the following example executes the my_prog  program
       with  the  open system call added to its auditmask and no change to its
       audit control flag: # auditmask open -e my_prog

       The command line in the following example executes the  vi  command  on
       the /etc/motd file with its auditmask set to audit all system calls and
       all trusted events, and its audit control flag set to OR:  #  auditmask
       -c or -E vi /etc/motd

SEE ALSO
       Commands: auditconfig(8)

       Functions: audcntl(2)

       Security

								  auditmask(8)
[top]

List of man pages available for DigitalUNIX

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net