Museum

Home

Lab Overview

Retrotechnology Articles

⇒ Online Manual

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

audcntl(2)

auditmask(8)

Name

auditmask − get or set system-call event and trusted-event audit masks

Syntax

auditmask [ event[:’succeed’:’fail’] | -f[ull] | -n[one] ]

Description

The auditmask command with no arguments displays the system-calls and trusted-events currently being audited for the system, and displays whether they are being audited under successful or failed occurrences or both.  The format used for the display is acceptable as input to the auditmask command.

The auditmask command with arguments sets the system-call and trusted-event audit masks for the system.  This is cumulative operation, so it is possible to turn on or off audit for one set of events, then turn on or off audit for a second set of events without changing the first set of events (except for intersection between the two sets). Command line arguments to auditmask can include one or more events, each with an optional field :’succeed’:’fail’, where ’succeed’ is either 0 to specify no auditing of successful occurrences of event, or 1 to specify auditing of successful occurrences of event; and ’fail’ is either 0 to specify no auditing of failed occurrences of event or 1 to specify auditing of failed occurrences of event.  The event name is either the system-call name or the trusted-event name (see audit.h).

The auditmask command will also accept redirected input, which can be the output of a previously issued auditmask command.  This is a file which contains lines of the format "event [succeed] [fail]".  If "succeed" is present, successful occurrences of that event will be audited; if "fail" is present", failed occurrences of that event will be audited; if both are present, successful and failed occurrences will be audited; if neither is present, that event will not be audited.

The auditmask command is used in /etc/rc.local to initialize the audit mask at boot time according to the file /etc/sec/audit_events. This makes use of privileged operations within the audcntl() system call.

Options

−fTurns on full auditing for the system.  This list may include events for X or events which are represented by a number (reserved for future use); these events will not be audited, despite their presence in the auditmask. 

−nTurns off all auditing for the system. 

See Also

audcntl(2)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026