auditmask(8)auditmask(8)NAMEauditmask - Gets or sets audit masks
/usr/sbin/auditmask [flags] [event[:succeed:fail]] [-e,E file
Sets the audit mask for all processes that have the specified audit ID
(audit_id). By specifying the audit ID of a user, all processes with
the specified audit ID are audited. The event list specified on the
command line becomes the audit mask for the target processes. Note
that the new events are combined with the current events for the target
process. Executes auditmask on each active member of the cluster. Any
files specified must be visable to all members in the cluster. Process-
specific commands are not supported across the cluster. Entering audit‐
mask -cluster prints out each cluster member's audit mask. The follow‐
ing auditmask options are supported with the -cluster option and work
as follows: Has valid meaning only for a cluster member that the user
is currently logged into. Not valid if -p is used. With a specified
process -f is not supported with -cluster. Without a specified process,
-f is supported. Supported. With a specified procces -n is not sup‐
ported with -cluster. Without a specified procces -n works as usual
across each cluster member. Works as usual across each cluster member.
The following auditmask options are not supported with the
-cluster option: -e, -E, -p, -q, -Q, -x, -X, -y-Y. Sets the
value of the audit control flags for the target audit processes.
The -coption can be used only in conjunction with the -a, -e,
-E, or -p options. The audit control flag strings are as fol‐
lows: An audit record is generated if either the system audit
mask or the process audit mask indicates such an event should be
audited. An audit record is generated if both the system audit
mask and the process audit mask indicate such an event should be
audited. No audit records are generated for the current
process. An audit record gets generated if the process audit
mask indicates such an event should be audited. Turns off or on
all system call auditing for the selected process (or group of
processes if based on login user). Include the habitat audit
events as described in the /etc/sec/audit_events file. Executes
the file and audits all system calls and trusted events. The
args parameters are the arguments associated with the program
file. This option is useful for debugging. Executes the file
and audits under a specified audit mask. The args parameters are
the arguments associated with the program file. For example,
auditmask open -e test_prog foo If a process is specified, sets
that process' audit mask to all events; otherwise, sets the sys‐
tem audit mask to all events. Displays a brief help message.
If a process is specified, clears that process' audit mask; oth‐
erwise, clears the system audit mask. When one or more events
are provided, sets the audit mask for a single process specified
by pid and events. The event list specified on the command line
modifies the settings for those events in the current audit mask
of the specified process. If only -p pid is specified, the
events being audited for the specified pid and the audcntl flag
are returned. The -p option is used to check a suspicious
process in real time. Query status of file filename for object
selection/deselection. Query status of files in filelist rele‐
vant to object selection/deselection. Sets the audit style
characteristics of the audit subsystem as follows: Enables the
auditing of the argument list to an execv or execve system call.
Enables the auditing of the environment strings to an execv or
execve system call. Enables recording the command name in each
audit record. The command name is the same name as that used in
the accounting records. This is the last component of the
invoked pathname, and is restricted to a maximum of 16 charac‐
ters. Enables the auditing of the user name in failed login
attempts when the user name is not recognized. (If the account
name for a failed access attempt is recognized, an entry is
always generated in the audit log.) Enable object selection
Specifying -c obj_sel or -c obj_sel:1 enables the object selec‐
tion mode. Specifying -c obj_sel:0 disables the object selection
The object selection mode provides the ability to specify a set
of files for which selected events get audited, while those same
events on other files do not get audited. In this mode, audit
records get generated only when an event is selected and either
that event is acting on a selected file or not acting on any
file. The result is that it is now possible, for example, to
audit open's of /etc/passwd and /.rhosts while not auditing
open's of /tmp/xxxx.
See the -x and -X options, and the Security manual. Enable
object deselection mode.
Specifying -c obj_desel or -c obj_desel:1 enables the deselec‐
tion mode. Specifying -c obj_desel:0 disables the deselection
The file deselection mode provides the ability to specify a set
of files for which specific selected events do not get audited,
while those same events on other files do get audited.
The events which may be deselected are data access operations
(no data modifications). The set of events which get deselected
open close link access stat lstat dup revoke
readlink fstat dup2 getdirentries read lseek
File open's for write or truncate access, however, do not get
In this mode, audit records get generated for selected events,
unless all files operated on by that system call are deselected
and the operation is a data access. So, if you are auditing
stat and unlink, and the file foo is deselected, then a stat of
foo would not be audited, but an unlink of foo would be audited
(the unlink is not a "data access" operation).
The result is that it is now possible, for example, to not audit
accesses to /usr/shlib/libc.so, but still audit open's of
See the -y and -Y options, and the Security manual. Enable or
disable selection on filename. No : or the presence of a :1 on
the end of the argument enables the action; a :0 disables the
action. Enable or disable selection on the files in the
filelist. No : or the presence of a :1 on the end of the argu‐
ment enables the action; a :0 disables the action. Enable or
disable deselection on filename. No : or the presence of a :1
on the end of the argument enables the action; a :0 disables the
action. Enable or disable deselection on the files in the
filelist. No : or the presence of a :1 on the end of the argu‐
ment enables the action; a :0 disables the action.
The auditmask command is used to: Get or set the system audit mask and
the audit style flag Get or set a process' audit mask and its audit
control flag Execute a process under a specified audit mask Select or
deselect filesystem objects
The system audit mask contains system calls (default list is in
/etc/sec/audit_events), trusted events (defined in audit.h), and site-
defined events (/etc/sec/site_events). The system audit mask is set
during the setup of the audit subsystem using the auditconfig script.
The system audit mask can be changed at any time using the auditmask
Under enhanced security, when a user logs in to the system, the authen‐
tication databases (/var/tcb/files/auth.db and /var/tcb/files/auth.db)
are read and the login process' audit characteristics are set according
to the u_auditmask and u_auditcntl entries. This audit mask and audit
control flag are inherited by all spawned processes.
Setting the audit control flag of a process automatically resets a pre‐
vious setting of AUDIT_SYSCALL_OFF for that process.
Getting the System Audit Mask
The auditmask command with no arguments displays the system calls,
trusted events, and site events currently being audited for the system,
and indicates whether they are being audited under successful or failed
occurrences or both. The format used for the display is acceptable as
input to subsequent auditmask commands.
Setting the System Audit Mask
The auditmask command with event arguments sets the system call,
trusted event, or site event audit masks for the system audit mask.
This is a cumulative operation, so it is possible to turn on or off
audit for one set of events, then turn on or off audit for a second set
of events without changing the first set of events (except for the
intersection between the two sets). Command line arguments to audit‐
mask can include one or more events, each with an optional field :suc‐
ceed:fail, where succeed is either 0 to specify no auditing of success‐
ful occurrences of event or 1 to specify auditing of successful occur‐
rences of event; and fail is either 0 to specify no auditing of failed
occurrences of event or 1 to specify auditing of failed occurrences of
event. The event is one of the following: A system call name A trusted
event name (see audit.h) A site-defined name in /etc/sec/site_events An
alias defined in /etc/sec/event_aliases
The auditmask command will also accept redirected input, which can be
the output of a previously issued auditmask command. This is a file
containing lines in the following format: event [succeed] [fail]
If the keyword succeed is present, successful occurrences of that event
will be audited; if the keyword fail is present, failed occurrences of
that event will be audited; if both are present, successful and failed
occurrences will be audited; if neither keyword is present, that event
will not be audited.
The auditmask command with the -s option is used to set the audit style
characteristics of the audit subsystem. See the description of the -s
Getting and Setting Process' Auditmask
The audit characteristics for a process are made up of the process
auditmask and the audit control flag. The auditmask command can be used
to set or get the audit characteristics for a specified process. If no
audit characteristics are specified, auditmask gets the process' audit‐
mask and control flag; if any audit characteristics are specified,
auditmask sets the process' auditmask and/or the audit control flag.
Processes are specified as follows: A single process using the -p
option A family of processes using the -a option A new process using
the -e or -E option
Site-defined events and habitat system calls can be set only for the
system, as opposed to the processes. See the habitat_usr selection
under the -c control_flag flag.
A program can be executed with a specified auditmask using the -e or -E
options. This can be used to learn more about the program's behavior.
The -e and -E options set the process audit control flag to AUDIT_USR
(unless explicitly set otherwise).
Using Object Selection and Deselection
Object selection and deselection modes provide another preselection
mechanism designed to help administrators audit specifically those
operations of interest to them.
Some events, such as mount and reboot, are operations affecting system
state; other events, such as open and unlink, are operations which
affect specific files. While all reboot attempts might be security
relevant, all file open's might not be (based on the site security
model). The file object selection/deselection mechanism provides a
further level of granularity for events which operate on files.
This mechanism can be run in either file selection (audstyle obj_sel)
or file deselection (audstyle obj_desel) mode.
Note that processes with a flag of AUDIT_USR do not have their auditing
reduced through the selection/deselection mechanism.
Cluster Audit Masks
Each member of a cluster runs with its own auditmask. To simplify keep‐
ing the masks identical, use the -cluster option.
The command line in the following example returns the auditmask and
audit control flag for process 999: # auditmask-p 999
The command line in the following example executes the my_prog program
with the open system call added to its auditmask and no change to its
audit control flag: # auditmask open -e my_prog
The command line in the following example executes the vi command on
the /etc/motd file with its auditmask set to audit all system calls and
all trusted events, and its audit control flag set to OR: # auditmask-c or -E vi /etc/motd