Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ auditmask(8) — Ultrix/UWS 4.4 RISC

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

audcntl(2)

auditmask(8)

Name

auditmask − get or set auditmasks

Syntax

auditmask [ option ... ] [ event[:succeed:fail]

Description

The auditmask command with no arguments displays the system-calls and trusted-events currently being audited for the system, and displays whether they are being audited under successful or failed occurrences or both. The format used for the display is acceptable as input to the auditmask command.

The auditmask command with event arguments sets the system-call and trusted-event audit masks for the system.  This is cumulative operation, so it is possible to turn on or off audit for one set of events, then turn on or off audit for a second set of events without changing the first set of events (except for intersection between the two sets).  Command line arguments to auditmask can include one or more events, each with an optional field :succeed:fail, where succeed is either 0 to specify no auditing of successful occurrences of event, or 1 (or any non-zero character) to specify auditing of successful occurrences of event; and fail is either 0 to specify no auditing of failed occurrences of event or 1 (or any non-zero character) to specify auditing of failed occurrences of event.  The event name is the system-call name or the trusted-event name (see audit.h ). 

The auditmask command will also accept redirected input, which can be the output of a previously issued auditmask command.  This is a file which contains lines of the format event [succeed][fail].  If the keyword succeed is present, successful occurrences of that event will be audited; if the keyword fail is present, failed occurrences of that event will be audited; if both are present, successful and failed occurrences will be audited; if neither keyword is present, that event will not be audited. 

The auditmask command can also be used to set the audit style characteristics of the audit subsystem.  These characteristics control how much information is recorded on exec operations. 

The auditmask command is used in /etc/rc.local to initialize the auditmask at boot time according to the file /etc/sec/audit_events. This makes use of privileged operations within the audcntl() system call.

Options

−fTurns on full auditing for the system.  This list may include events which have no symbolic name and are represented only by a number (reserved for future use); these events will not be audited, despite their presence in the auditmask. 

−nTurns off all auditing for the system. 

-s aud_styleAn aud_style of "exec_argp" enables the auditing of the argument list to an execv or execve syscall. An aud_style of "exec_envp" enables the auditing of the environment strings to an execv or execve syscall.

See Also

audcntl(2)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026