The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

Интерактивная система просмотра системных руководств (man-ов)

 ТемаНаборКатегория 
 
 [Cписок руководств | Печать]

auditconfig (1)
  • >> auditconfig (1) ( Solaris man: Команды и прикладные программы пользовательского уровня )
  •  

    NAME

    auditconfig - configure auditing
     
    

    SYNOPSIS

    auditconfig option...
    

     

    DESCRIPTION

    auditconfig provides a command line interface to get and set kernel audit parameters.

    This functionality is available only if the Basic Security Module (BSM) has been enabled. See bsmconv(1M) for more information.

    The setting of the perzone policy determines the scope of the audit setting controlled by auditconfig. If perzone is set, then the values reflect the local zone except as noted. Otherwise, the settings are for the entire system. Any restriction based on the perzone setting is noted for each option to which it applies.

    A non-global zone administrator can set all audit policy options except perzone and ahlt. perzone and ahlt apply only to the global zone; setting these policies requires the privileges of a global zone administrator. perzone and ahlt are described under the -setpolicy option, below.  

    OPTIONS

    -aconf

    Set the non-attributable audit mask from the audit_control(4) file. For example:

    # auditconfig -aconf
    Configured non-attributable events.
    

    -audit event sorf retval string

    This command constructs an audit record for audit event event using the process's audit characteristics containing a text token string. The return token is constructed from the sorf (success/failure flag) and the retval (return value). The event is type char*, the sorf is 0/1 for success/failure, retval is an errno value, string is type *char. This command is useful for constructing an audit record with a shell script. An example of this option:

    # auditconfig -audit AUE_ftpd 0 0 "test string"
    #
    
    audit record from audit trail:
       header,76,2,ftp access,,Fri Dec 08 08:44:02 2000, + 669 msec
       subject,abc,root,other,root,other,104449,102336,235 197121 elbow
       text,test string
       return,success,0
    

    -chkaconf

    Checks the configuration of the non-attributable events set in the kernel against the entries in audit_control(4). If the runtime class mask of a kernel audit event does not match the configured class mask, a mismatch is reported.

    -chkconf

    Check the configuration of kernel audit event to class mappings. If the runtime class mask of a kernel audit event does not match the configured class mask, a mismatch is reported.

    -conf

    Configure kernel audit event to class mappings. Runtime class mappings are changed to match those in the audit event to class database file.

    -getasid

    Prints the audit session ID of the current process. For example:

    # auditconfig -getasid
    audit session id = 102336
    

    -getaudit

    Returns the audit characteristics of the current process.

    # auditconfig -getaudit
    audit id = abc(666)
    process preselection mask = lo(0x1000,0x1000)
    terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77)
    audit session id = 102336
    

    -getauid

    Prints the audit ID of the current process. For example:

    # auditconfig -getauid
    audit id = abc(666)
    

    -getcar

    Prints current active root location (anchored from root [or local zone root] at system boot). For example:

    # auditconfig -getcar
    current active root = /
    

    -getclass event

    Display the preselection mask associated with the specified kernel audit event. event is the kernel event number or event name.

    -getcond

    Display the kernel audit condition. The condition displayed is the literal string auditing meaning auditing is enabled and turned on (the kernel audit module is constructing and queuing audit records); noaudit, meaning auditing is enabled but turned off (the kernel audit module is not constructing and queuing audit records); disabled, meaning that the audit module has not been enabled; or nospace, meaning there is no space for saving audit records. See auditon(2) and auditd(1M) for further information.

    -getestate event

    For the specified event (string or event number), print out classes event has been assigned. For example:

    # auditconfig -getestate 20
    audit class mask for event AUE_REBOOT(20) = 0x800
    # auditconfig -getestate AUE_RENAME
    audit class mask for event AUE_RENAME(42) = 0x30
    

    -getkaudit

    Get audit characteristics of the current zone. For example:

    # auditconfig -getkaudit
    audit id = unknown(-2)
    process preselection mask = lo,na(0x1400,0x1400)
    terminal id (maj,min,host) = 0,0,(0.0.0.0)
    audit session id = 0
    

    If the audit policy perzone is not set, the terminal id is that of the global zone. Otherwise, it is the terminal id of the local zone.

    -getkmask

    Get non-attributable pre-selection mask for the current zone. For example:

    # auditconfig -getkmask
    audit flags for non-attributable events = lo,na(0x1400,0x1400)
    

    If the audit policy perzone is not set, the kernel mask is that of the global zone. Otherwise, it is that of the local zone.

    -getpinfo pid

    Display the audit ID, preselection mask, terminal ID, and audit session ID for the specified process.

    -getpolicy

    Display the kernel audit policy. The ahlt and perzone policies reflect the settings from the global zone. If perzone is set, all other policies reflect the local zone's settings. If perzone is not set, the policies are machine-wide.

    -getcwd

    Prints current working directory (anchored from zone root at system boot). For example:

    # cd /usr/tmp
    # auditconfig -getcwd
    current working directory = /var/tmp
    

    -getqbufsz

    Get audit queue write buffer size. For example:

    # auditconfig -getqbufsz
           audit queue buffer size (bytes) = 1024
    

    -getqctrl

    Get audit queue write buffer size, audit queue hiwater mark, audit queue lowater mark, audit queue prod interval (ticks).

    # auditconfig -getqctrl
    audit queue hiwater mark (records) = 100
    audit queue lowater mark (records) = 10
    audit queue buffer size (bytes) = 1024
    audit queue delay (ticks) = 20
    

    -getqdelay

    Get interval at which audit queue is prodded to start output. For example:

    # auditconfig -getqdelay
    audit queue delay (ticks) = 20
    

    -getqhiwater

    Get high water point in undelivered audit records when audit generation will block. For example:

    # ./auditconfig -getqhiwater
    audit queue hiwater mark (records) = 100
    

    -getqlowater

    Get low water point in undelivered audit records where blocked processes will resume. For example:

    # auditconfig -getqlowater
    audit queue lowater mark (records) = 10
    

    -getstat

    Print current audit statistics information. For example:

    # auditconfig -getstat
    gen nona kern  aud  ctl  enq wrtn wblk rblk drop  tot  mem
    910    1  725  184    0  910  910    0  231    0   88   48
    

    See auditstat(1M) for a description of the headings in -getstat output.

    -gettid

    Print audit terminal ID for current process. For example:

    # auditconfig -gettid
    terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77)
    

    -lsevent

    Display the currently configured (runtime) kernel and user level audit event information.

    -lspolicy

    Display the kernel audit policies with a description of each policy.

    -setasid session-ID [cmd]

    Execute shell or cmd with specified session-ID. For example:

    # ./auditconfig -setasid 2000 /bin/ksh
    #
    # ./auditconfig -getpinfo 104485
    audit id = abc(666)
    process preselection mask = lo(0x1000,0x1000)
    terminal id (maj,min,host) = 235,197121,elbow(172.146.89.77)
    audit session id = 2000
    

    -setaudit audit-ID preselect_flags term-ID session-ID [cmd]

    Execute shell or cmd with the specified audit characteristics.

    -setauid audit-ID [cmd]

    Execute shell or cmd with the specified audit-ID.

    -setclass event audit_flag[,audit_flag ...]

    Map the kernel event event to the classes specified by audit_flags. event is an event number or name. An audit_flag is a two character string representing an audit class. See audit_control(4) for further information. If perzone is not set, this option is valid only in the global zone.

    -setkaudit IP-address_type IP_address

    Set IP address of machine to specified values. IP-address_type is ipv6 or ipv4.

    If perzone is not set, this option is valid only in the global zone.

    -setkmask audit_flags

    Set non-attributes selection flags of machine.

    If perzone is not set, this option is valid only in the global zone.

    -setpmask pid flags

    Set the preselection mask of the specified process. flags is the ASCII representation of the flags similar to that in audit_control(4).

    If perzone is not set, this option is valid only in the global zone.

    -setpolicy [+|-]policy_flag[,policy_flag ...]

    Set the kernel audit policy. A policy policy_flag is literal strings that denotes an audit policy. A prefix of + adds the policies specified to the current audit policies. A prefix of - removes the policies specified from the current audit policies. No policies can be set from a local zone unless the perzone policy is first set from the global zone. The following are the valid policy flag strings (auditconfig -lspolicy also lists the current valid audit policy flag strings):

    all

    Include all policies that apply to the current zone.

    ahlt

    Halt the machine if an asynchronous audit event occurs that cannot be delivered because the audit queue has reached the high-water mark or because there are insufficient resources to construct an audit record. By default, records are dropped and a count is kept of the number of dropped records.

    arge

    Include the execv(2) system call environment arguments to the audit record. This information is not included by default.

    argv

    Include the execv(2) system call parameter arguments to the audit record. This information is not included by default.

    cnt

    Do not suspend processes when audit resources are exhausted. Instead, drop audit records and keep a count of the number of records dropped. By default, process are suspended until audit resources become available.

    group

    Include the supplementary group token in audit records. By default, the group token is not included.

    none

    Include no policies. If used in other than the global zone, the ahlt and perzone policies are not changed.

    path

    Add secondary path tokens to audit record. These are typically the pathnames of dynamically linked shared libraries or command interpreters for shell scripts. By default, they are not included.

    perzone

    Maintain separate configuration, queues, and logs for each zone and execute a separate version of auditd(1M) for each zone.

    public

    Audit public files. By default, read-type operations are not audited for certain files which meet public characteristics: owned by root, readable by all, and not writable by all.

    trail

    Include the trailer token in every audit record. By default, the trailer token is not included.

    seq

    Include the sequence token as part of every audit record. By default, the sequence token is not included. The sequence token attaches a sequence number to every audit record.

    windata_down

    Include in an audit record any downgraded data moved between windows. This policy is available only if the system is configured with Trusted Extensions. By default, this information is not included.

    windata_up

    Include in an audit record any upgraded data moved between windows. This policy is available only if the system is configured with Trusted Extensions. By default, this information is not included.

    zonename

    Include the zonename token as part of every audit record. By default, the zonename token is not included. The zonename token gives the name of the zone from which the audit record was generated.

    -setqbufsz buffer_size

    Set the audit queue write buffer size (bytes).

    -setqctrl hiwater lowater bufsz interval

    Set the audit queue write buffer size (bytes), hiwater audit record count, lowater audit record count, and wakeup interval (ticks). Valid within a local zone only if perzone is set.

    -setqdelay interval

    Set the audit queue wakeup interval (ticks). This determines the interval at which the kernel pokes the audit queue, to write audit records to the audit trail. Valid within a local zone only if perzone is set.

    -setqhiwater hiwater

    Set the number of undelivered audit records in the audit queue at which audit record generation blocks. Valid within a local zone only if perzone is set.

    -setqlowater lowater

    Set the number of undelivered audit records in the audit queue at which blocked auditing processes unblock. Valid within a local zone only if perzone is set.

    -setsmask asid flags

    Set the preselection mask of all processes with the specified audit session ID. Valid within a local zone only if perzone is set.

    -setstat

    Reset audit statistics counters. Valid within a local zone only if perzone is set.

    -setumask auid flags

    Set the preselection mask of all processes with the specified audit ID. Valid within a local zone only if perzone is set.

     

    EXAMPLES

    Example 1 Using auditconfig

    The following is an example of an auditconfig program:

    #
    # map kernel audit event number 10 to the "fr" audit class
    #
    % auditconfig -setclass 10 fr
    
    #
    # turn on inclusion of exec arguments in exec audit records
    #
    % auditconfig -setpolicy +argv
    

     

    EXIT STATUS

    0

    Successful completion.

    1

    An error occurred.

     

    FILES

    /etc/security/audit_event

    Stores event definitions used in the audit system.

    /etc/security/audit_class

    Stores class definitions used in the audit system.

     

    ATTRIBUTES

    See attributes(5) for descriptions of the following attributes:

    ATTRIBUTE TYPEATTRIBUTE VALUE

    AvailabilitySUNWcsu

    Interface Stability

     

    SEE ALSO

    audit(1M), auditd(1M), auditstat(1M), bsmconv(1M), praudit(1M), auditon(2), execv(2), audit_class(4), audit_control(4), audit_event(4), attributes(5), audit_binfile(5)

    See the section on Solaris Auditing in System Administration Guide: Security Services.  

    NOTES

    If plugin output is selected using audit_control(4), the behavior of the system with respect to the -setpolicy +cnt and the -setqhiwater options is modified slightly. If -setpolicy +cnt is set, data will continue to be sent to the selected plugin, even though output to the binary audit log is stopped, pending the freeing of disk space. If -setpolicy -cnt is used, the blocking behavior is as described under OPTIONS, above. The value set for the queue high water mark is used within auditd as the default value for its queue limits unless overridden by means of the qsize attribute as described in audit_control(4).

    The auditconfig options that modify or display process-based information are not affected by the perzone policy. Those that modify system audit data such as the terminal id and audit queue parameters are valid only in the global zone, unless the perzone policy is set. The display of a system audit reflects the local zone if perzone is set. Otherwise, it reflects the settings of the global zone.

    The -setcond option has been removed. Use audit(1M) to enable or disable auditing.

    The -getfsize and -setfsize options have been removed. Use audit_binfile(5) p_fsize to set the audit file size.


     

    Index

    NAME
    SYNOPSIS
    DESCRIPTION
    OPTIONS
    EXAMPLES
    EXIT STATUS
    FILES
    ATTRIBUTES
    SEE ALSO
    NOTES


    Поиск по тексту MAN-ов: 




    Партнёры:
    PostgresPro
    Inferno Solutions
    Hosting by Hoster.ru
    Хостинг:

    Закладки на сайте
    Проследить за страницей
    Created 1996-2024 by Maxim Chirkov
    Добавить, Поддержать, Вебмастеру