Mac OS X Developer Tools Manual Page For auditon(2)

ADC Home > Reference Library > Reference > Mac OS X > Mac OS X Man Pages

This document is a Mac OS X manual page. Manual pages are a command-line technology for providing documentation. You can view these manual pages locally using the man(1) command. These manual pages come from many different sources, and thus, have a variety of writing styles.

This manual page is associated with the Mac OS X developer tools. The software or headers described may not be present on your Mac OS X installation until you install the developer tools package. This package is available on your Mac OS X installation DVD, and the latest versions can be downloaded from developer.apple.com.

For more information about the manual page format, see the manual page for manpages(5).

AUDITON(2) BSD System Calls Manual AUDITON(2)

NAME
auditon -- configure the current audit parameters on the system

SYNOPSIS
#include <bsm/audit.h>

int
auditon(int cmd, void * data, int length);

DESCRIPTION
The auditon() function manipulates various audit parameters. The data argument points to the appropri-ate appropriate
ate structure from the header file. Length is the size of the data parameter in bytes. It will typi-cally typically
cally be the sizeof the the structure.

PARAMETERS
A_GETPOLICY Get the current audit policy. Data should point to a long. The policy is the bit-wise bitwise
wise OR'ing of the appropriate flags from bsm/audit.h. If AUDIT_AHLT is set, the
system will kernel panic if it cannot write to the global audit trail. If AUDIT_CNT
is not set and the system becomes low on space, audited events will block until the
low space condition is remedied. Unaudited events are unaffected. The other policy
flags are not implemented.

A_SETPOLICY Set the current audit policy. Data should point to a long specifying the desired
audit policy, as described in A_GETPOLICY.

A_GETKMASK Get the current value of the audit preselection mask for non-attributable events.
Data should point to an au_mask_t. The field am_success specifies which classes of
successful audit events are to be logged to the audit trail. The field am_failure
specifies which classes of failed audit events are to be logged. The value of both
fields is the bitwise OR'ing of the event classes specified in bsm/audit.h. The
various audit classes are described more fully in audit_class(5).

A_SETKMASK Set the current value of the audit preselection mask for non-attributable events.
Data should point to an au_mask_t. The masks are defined as described in A_GETK-MASK. A_GETKMASK.
MASK.

A_GETQCTRL Get the current settings for the audit queue (specifying in kernel buffer size, per-centage percentage
centage of free filesystem blocks, and limits to the number of audit records
allowed). Data should point to an au_qctrl_t.

A_SETQCTRL Set the current settings for the audit queue. Data should point to an au_qctrl_t.

A_GETCOND Gets the current condition of the auditing subsystem. If the value is AUC_AUDITING,
then the audit implementation is currently running. If the value is AUC_NOAUDIT then
the audit implementation is currently turned off. Data should point to a long.

A_SETCOND Sets the condition of the auditing subsystem. If AUC_NOAUDIT is set, then auditing
is temporarily suspended. If AUC_AUDITING is set, auditing is resumed. If AUC_DIS-ABLED AUC_DISABLED
ABLED is set, the auditing system will shutdown, draining all audit records and
closing out the audit trail file. To re-enable auditing, a call to auditctl is
required in addition to setting the condition to AUC_AUDITING. Data should point to
a long.

A_GETCLASS Returns the audit class for the specified audit event. Data should point to a
au_evclassmap_t.

A_SETCLASS Sets the audit class for the specified audit event. Data should point to a
au_evclassmap_t.

A_GETPINFO Returns the audit information stored in the credential for the current process.
Data should point to a auditpinfo_t.

A_SETPMASK Sets the audit settings for a process. The audit user ID, preselection masks for
both success and failure, and terminal IDs must be set. Data should point to a
auditpinfo_t struct.

A_SETFSIZE Set the limit on audit trail file size. File size is in bytes. The file size speci-fied specified
fied is treated as an advisory limit. The system will make a best effort attempt to
rotate log files before they exceed the requested maximum size, but makes no guaran-tees guarantees
tees on log file size Data should point to a au_fstat_t struct. The af_filesz field
is used to specify the new file size, which must be greater than
MIN_AUDIT_FILE_SIZE. A value of 0 indicates no limit on the audit trail's size. The
af_currsz field is ignored. A errno value of EINVAL indicates a maximum file size
that is too small.

A_GETFSIZE Return the maximum allowable size of the audit trail, and the current size of the
audit trail. Data should point to a au_fstat_t struct.

A_GETPINFO_ADDR Not implemented, returns ENOSYS.

A_GETKAUDIT Not implemented, returns ENOSYS.

A_SETKAUDIT Not implemented, returns ENOSYS.

RETURN VALUES
Upon successful completion a value of 0 is returned. Otherwise, a value of -1 is returned and errno is
set to indicate the error.

ERRORS
Errors are specific to the operation requested. In addition, rhe auditon() system call will fail if:

[EINVAL] Length is less than or equal to zero, or if it is greater than any of the expected
structures.

SEE ALSO
audit(2), auditctl(2), getauid(2), setauid(2), getaudit(2), setaudit(2), getaudit_addr(2),
setaudit_addr(2), audit_class(5)

HISTORY
The auditon() function call first appeared in Mac OS X 10.3 (Panther).

Darwin July 30, 2007 Darwin

Did this document help you?
Yes: Tell us what works for you. It’s good, but: Report typos, inaccuracies, and so forth. It wasn’t helpful: Tell us what would have helped.