*** UNIX MANUAL PAGE BROWSER ***

auditmask(8) System Manager's Manual auditmask(8) NAME auditmask - Gets or sets auditmasks SYNOPSIS /usr/sbin/auditmask [ flags ] [ event[:succeed:fail]] \ [-e,E file [args... ]] [< event_list] FLAGS Sets the audit mask for all processes that have the specified audit ID (audit_id). By specifying the audit ID of a user, all processes with the specified audit ID are audited. The event list specified on the command line becomes the auditmask for the target processes. Sets the value of the audit control flags for the target audit processes. The -c flag can be used only in conjunction with the -a, -e, -E, or -p flags. The audit control flag strings are as follows: An audit record is gen- erated if either the system auditmask or the process auditmask indi- cates such an event should be audited. An audit record is generated if both the system auditmask and the process auditmask indicate such an event should be audited. No audit records are generated for the cur- rent process. An audit record gets generated if the process auditmask indicates such an event should be audited. Turns off or on all system call auditing for the selected process (or group of processes if based on login user). This option provides in-depth process tracing by en- abling auditing of all system call events. Include the habitat audit events as described in the /etc/sec/audit_events file. Executes the file and audits all system calls and trusted events. The args parame- ters are the arguments associated with the program file. This option is useful for debugging. Executes the file and audits under a specified mask. The args parameters are the arguments associated with the program file. If a process is specified, sets that process' auditmask to all events; otherwise, sets the system auditmask to all events. Displays a brief help message. If a process is specified, clears that process' auditmask; otherwise, clears the system auditmask. When one or more events are provided, sets the audit mask for a single process specified by pid and events. The event list specified on the command line modi- fies the settings for those events in the current auditmask of the specified process. If only -p pid is specified, the events being au- dited for the specified pid and the audcntl flag are returned. The -p option is used to check a suspicious process in real time. Query sta- tus of file filename for object selection/deselection. Query status of files in filelist relevant to object selection/deselection. Sets the audit style characteristics of the audit subsystem as follows: Enables the auditing of the argument list to an execv or execve system call. Enables the auditing of the environment strings to an execv or execve system call. Enables the auditing of the user name in failed login at- tempts when the user name is not recognized. (If the account name for a failed access attempt is recognized, an entry is always generated in the audit log.) Enable object selection mode. Specifying -c obj_sel or -c obj_sel:1 enables the object selection mode. Specifying -c obj_sel:0 disables the object selection mode. With the object selec- tion mode enabled, data access operations result in audit records being generated only if performed against a specified file. See the -x and -X options, and the Security manual. Enable object deselection mode. Specifying -c obj_desel or -c obj_desel:1 enables the deselection mode. Specifying -c obj_desel:0 disables the deselection mode. With the des- election mode enabled, data access operations on specified files do not generate audit data. See the -y and -Y options, and the Security man- ual. Enable or disable selection on filename. No : or the presence of a :1 on the end of the argument enables the action; a :0 disables the action. Enable or disable selection on the files in the filelist. No : or the presence of a :1 on the end of the argument enables the ac- tion; a :0 disables the action. Enable or disable deselection on file- name. No : or the presence of a :1 on the end of the argument enables the action; a :0 disables the action. Enable or disable deselection on the files in the filelist. No : or the presence of a :1 on the end of the argument enables the action; a :0 disables the action. DESCRIPTION The auditmask command is used to: Get or set the system auditmask and the audit style flag Get or set a process' auditmask and its audit con- trol flag Execute a process under a specified auditmask Select or dese- lect filesystem objects The system auditmask contains system calls (default list is in /etc/sec/audit_events), trusted events (defined in audit.h), and site- defined events (/etc/sec/site_events). The system auditmask is set during the setup of the audit subsystem using the audit_setup script. The system auditmask can be changed at any time using the auditmask command. Under enhanced security (passwords), when a user logs in to the system, the authentication database (/tcb/auth/files/<a-z>/username) is read and the login process' audit characteristics are set according to the u_auditmask and u_auditcntl entries. This auditmask and audit control flag are inherited by all spawned processes. Setting the audit control flag of a process automatically resets a pre- vious setting of AUDIT_SYSCALL_OFF for that process. Getting the System Auditmask The auditmask command with no arguments displays the system calls, trusted events, and site events currently being audited for the system, and indicates whether they are being audited under successful or failed occurrences or both. The format used for the display is acceptable as input to subsequent auditmask commands. Setting the System Auditmask The auditmask command with event arguments sets the system call, trusted event, or site event audit masks for the system auditmask. This is a cumulative operation, so it is possible to turn on or off au- dit for one set of events, then turn on or off audit for a second set of events without changing the first set of events (except for the in- tersection between the two sets). Command line arguments to auditmask can include one or more events, each with an optional field :suc- ceed:fail, where succeed is either 0 to specify no auditing of success- ful occurrences of event or 1 to specify auditing of successful occur- rences of event; and fail is either 0 to specify no auditing of failed occurrences of event or 1 to specify auditing of failed occurrences of event. The event is one of the following: A system call name A trusted event name (see audit.h) A site-defined name in /etc/sec/site_events An alias defined in /etc/sec/event_aliases The auditmask command will also accept redirected input, which can be the output of a previously issued auditmask command. This is a file containing lines in the following format: event [succeed] [fail] If the keyword succeed is present, successful occurrences of that event will be audited; if the keyword fail is present, failed occurrences of that event will be audited; if both are present, successful and failed occurrences will be audited; if neither keyword is present, that event will not be audited. The auditmask command with the -s option is used to set the audit style characteristics of the audit subsystem. See the description of the -s option. Getting and Setting Process' Auditmask The audit characteristics for a process are made up of the process au- ditmask and the audit control flag. The auditmask command can be used to set or get the audit characteristics for a specified process. If no audit characteristics are specified, auditmask gets the process' audit- mask and control flag; if any audit characteristics are specified, au- ditmask sets the process' auditmask and/or the audit control flag. Processes are specified as follows: A single process using the -p op- tion A family of processes using the -a option A new process using the -e or -E option Site-defined events and habitat system calls can be set only for the system, as opposed to the processes. See the habitat_usr selection un- der the -c control_flag flag. A program can be executed with a specified auditmask using the -e or -E options. This can be used to learn more about the program's behavior. The -e and -E options set the process audit control flag to AUDIT_USR (unless explicitly set otherwise). Using Object Selection and Deselection Object selection and deselection allows you to mark specified file ob- jects for either auditing or no auditing. In the object selection mode (-s obj_sel), the following data access events always generate audit data for the selected objects: open close stat link lseek access statlstat dup revoke readlink fstat dup2 getdirentries The auditing on file objects not selected is determined by the active audit events. In the object selection mode (-s obj_sel), file objects that are dese- lected generate no audit data from active audit events except for the data access events listed above. Note that processes with an flag of AUDIT_USR do not have their audit- ing reduced through the selection/deselection mechanism. EXAMPLES The command line in the following example returns the auditmask and au- dit control flag for process 999: # auditmask -p 999 The command line in the following example executes the my_prog program with the open system call added to its auditmask and no change to its audit control flag: # auditmask open -e my_prog The command line in the following example executes the vi command on the /etc/motd file with its auditmask set to audit all system calls and all trusted events, and its audit control flag set to OR: # auditmask -c or -E vi /etc/motd RELATED INFORMATION Commands: audit_setup(8) Functions: audcntl(2) Security delim off auditmask(8)