auditmask(8) — Maintenance
NAME
auditmask − Get or set auditmasks (Enhanced Security)
SYNOPSIS
/usr/sbin/auditmask [ flags ] [ event[:succeed:fail]] \
[−e,E file [args...]] [< event_list]
DESCRIPTION
The auditmask command is used to:
•Get or set the system auditmask and the audit style flag
•Get or set process’s auditmask and its audit control flag
•Execute a process under a specified auditmask
The system auditmask contains system calls (default list is in /etc/sec/audit_events), trusted events (defined in audit.h), and site-defined events (/etc/sec/site_events). The system auditmask is set during the setup of the audit subsytem using the audit_setup script. The system auditmask can be changed at any time using the auditmask command.
When a user logs in to the system, the /tcb/auth/files/<a-z>/username file is read and the login process’ audit characteristics are set according to the u_auditmask and u_auditcntl entries. This auditmask and audit control flag are inherited by all spawned processes. By specifying the audit ID of a user, all processes with the specified audit ID are audited.
Getting the System Auditmask
The auditmask command with no arguments displays the system calls, trusted events, and site events currently being audited for the system, and indicates whether they are being audited under successful or failed occurrences or both. The format used for the display is acceptable as input to subsequent auditmask commands.
Setting the System Auditmask
The auditmask command with event arguments sets the system call, trusted event, or site event audit masks for the system auditmask. This is cumulative operation, so it is possible to turn on or off audit for one set of events, then turn on or off audit for a second set of events without changing the first set of events (except for intersection between the two sets). Command line arguments to auditmask can include one or more events, each with an optional field :succeed:fail, where succeed is either 0 to specify no auditing of successful occurrences of event, or 1 to specify auditing of successful occurrences of event; and fail is either 0 to specify no auditing of failed occurrences of event or 1 to specify auditing of failed occurrences of event. The event is one of the following:
•The system call name or the trusted event name (see audit.h).
•A site defined name in /etc/sec/site_events.
•An alias defined in /etc/sec/event_aliases.
The auditmask command will also accept redirected input, which can be the output of a previously issued auditmask command. This is a file containing lines in the following format:
event [succeed] [fail]
If the keyword succeed is present, successful occurrences of that event will be audited; if the keyword fail is present, failed occurrences of that event will be audited; if both are present, successful and failed occurrences will be audited; if neither keyword is present, that event will not be audited.
The auditmask command with the −s option is used to set the audit style characteristics of the audit subsystem. See the description of the −s option.
Getting and Setting Process’ Auditmask
The audit characteristics for a process are made up of the process auditmask and the audit control flag. The auditmask command can be used to set or get the audit characteristics for a specified process. If no audit characteristics are specified, auditmask will get the process’ auditmask and control flag; if any audit characteristics are specified, auditmask will set the process’ auditmask.
Processes are specified as follows:
•A single process using the −p option
•A family of processes using the −a option
•A new process using the −e or −E option
Site-defined events and habitat system calls can be set only for the system (as opposed to the processes).
A program can be executed with a specified auditmask using the −e or −E options. This can be used to learn more about the program’s behavior.
FLAGS
−a audit_id
Set the audit mask for all processes that have the specified audit ID (audit_id).
−c control_flag
Sets the value of the audit control flags for the target audit processes. The −c flag can only be used in conjunction with the −a, −e, −E, or −p flags. The audit control flag strings are as follows:
orAn audit record is generated if either the system auditmask or the process auditmask indicates such an event should be audited.
andAn audit record is generated if both the system auditmask and the process auditmask indicate such an event should be audited.
offNo audit records are generated for the current process.
usrAn audit record gets generated if the process auditmask indicates such an event should be audited.
−hDisplay a brief help message.
−E file [args...]
Execute the file and audit all system calls and trusted events. The args parameters are the arguments associated with the program file. This option is useful for debugging.
−e file [args...]
Execute the file and audit under a specified mask. The args parameters are the arguments associated with the program file.
−fIf a process is specified, set that process’ auditmask to all events; otherwise, set the system auditmask to all events.
−nIf a process is specified, clear that process’ auditmask; otherwise, clear the system auditmask.
−p pid [event[:succeed:fail]]
When one or more events are provided, set the audit mask for a single process specified by pid and events. If only −p pid is specified, the events being audited for the specified pid and the audcntl flag are returned. The −p option is used to check a suspicious process in real time.
−s audstyle
Sets the audit style characteristics of the audit subsystem as follows:
exec_argpEnables the auditing of the argument list to an execv or execve system call.
exec_envpEnables the auditing of the environment strings to an execv or execve system call.
login_unameEnables the auditing of the username in failed login attempts.
Specifying audstyle or audstyle:1 enables the characteristic and specifying audstyle:0 disables the characteristic.
EXAMPLES
The command line in the following example returns the auditmask and audit control flag for process 999:
# auditmask −p 999
The command line in the following example executes the my_prog program with the open system call added to its auditmask and no change to its audit control flag:
# auditmask open −e my_prog
The command line in the following example executes the vi command on the /etc/motd file with its auditmask set to audit all system calls and all trusted events, and its audit control flag set to OR:
# auditmask −c or -E vi /etc/motd
RELATED INFORMATION
Security