audadmin(1M) DG/UX B2 Security R4.12MU02 audadmin(1M)
NAME
audadmin - perform audit administration functions
SYNOPSIS
audadmin -o start [-f trailfile ]
audadmin -o stop
audadmin -o switch -f trailfile
audadmin -o sysmask [alias | mask | -f aliasfile]
audadmin -o query [-c | -h]
audadmin -o settrail -f trailfile
audadmin -o flush
audadmin -o muststart [ on | off ]
audadmin -o mustaudit [ on | off ]
audadmin -o subjtuple -T tuplealias
audadmin -o objtuple -T tuplealias
audadmin -o subjfilter [ on | off ]
audadmin -o objfilter [ on | off ]
audadmin -o traillabel -M labelalias
where:
trailfile The name of the file to which audit records should be
written. If the trailfile is not a absolute pathname,
audadmin will ask you to confirm whether it is a pathname
relative the current working directory, e.g.:
# cd /audit
# audadmin -o settrail -f trail1
Trailfile is /audit/trail1
Is this correct (y or n)?
alias An audit alias string
mask An audit mask string
aliasfile The name of file from which to read an audit mask or alias
string.
tuplealias A MAC range tuple alias. The format of this alias is
described in the settuple(1M) man page.
labelalias A MAC label alias.
DESCRIPTION
The audadmin command performs the various audit administration
functions according to the operation chosen.
Options
-f Specify an alias file or a trail file.
-c Print the canonical form of the system audit mask instead of an
alias. For example:
chdir : (S,PS,CS)
+ mkdir : (S,PS,CS)
-h Print a hexadecimal dump of the audit mask instead of an alias.
-T Specify a MAC range tuple.
-M Specify a MAC label.
Operations
sysmask Set the system audit mask to the value specified. If the
command fails, the system audit mask will remain unchanged.
If the system audit mask is successfully changed, the new
mask becomes effective immediately. Thus events and reasons
specified in the new mask are audited for all existing
processes as well as for all future processes. Similarly,
any events or reasons turned off are no longer audited for
any existing processes, unless they are part of a per-
process audit mask.
start Turn on auditing. If a trailfile is given, audit records
will be written to trailfile. Otherwise, audit records
will go to the current trail file. If auditing is already
on, the command reports an error.
stop Stop auditing, writes a trail tail record, then closes the
current trail file. If auditing is already stopped, the
command reports an error.
switch Change trail files without stopping auditing. trailfile
becomes the new current trail file. This option can only
be used when auditing is on. If auditing is not currently
on, the command reports an error.
query Print the current state of the auditing system. It
indicates whether auditing is on, off, or stopped by the
system (due to an auditing failure), whether the system
will shutdown upon a startup failure or upon an auditing
failure, what the current system audit mask is, what the
current trailspec is, the parameters associated with MAC
filtering and the default audit trail MAC label.
settrail Replace the current trailspec so that when auditing is
started, the new trailspec will be the current one. This
option can be used only when auditing is off. If auditing
is not currently off, the command reports an error.
flush Cause all in-memory audit records to be written to the
current audit trail file, ensuring that the file is up-to-
date. Normally, audit records are buffered in memory and
written to the trail file only when a buffer is filled or
auditing is stopped or switched to a new file. This option
should be used before invoking audprint on an active audit
trail file. This option can only be used when auditing is
on. If auditing is not currently on, the command reports
an error.
muststart Require auditing for startup or not. When on, any attempts
to bring the system out of single-user mode will fail if
auditing is not on.
mustaudit Require auditing at all times or not. When on, the system
will go to single-user mode if auditing cannot continue.
subjtuple Specify a MAC range tuple to be used for subject MAC
filtering. Only audit records for subjects with MAC labels
within this tuple will be included in the audit trail, if
subject MAC filtering is enabled.
objtuple Specify a MAC range tuple to be used for object MAC
filtering. Only audit records for events which accessed
objects with MAC labels within this tuple will be included
in the audit trail, if object MAC filtering is enabled.
subjfilter
Enable or disable the filtering of audit records to be
included in the audit trail based on the MAC label of the
subject involved.
objfilter Enable or disable the filtering of audit records to be
included in the audit trail based on the MAC label of the
objects involved in the event.
traillabel
Set the MAC label to be applied whenever a new audit trail
file is created. This MAC label is also applied if the
system has to create a new audit log. It does not apply to
any existing trail files.
Current Trail Specification
The system has the concept of a current trailspec. A trailspec
(audit trail specification) contains the trail file name and other
system information about the trail file. While auditing is on, the
current trailspec contains the trail filename to which the system is
writing audit records. When auditing is turned off, the current
trailspec remains unchanged, thus it will become the active trailspec
when auditing is turned on again if a new trailspec is not given.
The current trailspec will change under three conditions:
1. The settrail operation can be used while auditing is off so
that the current trailspec will be different when auditing is
turned back on.
2. The switch operation can be used while auditing is on.
3. Auditing can be started with a new trail file specified. For
more details, see Managing Security Auditing on the DG/UX
System.
EXAMPLES
To set the system audit mask to the alias "system":
audadmin -o sysmask system
To start auditing to the file /audit/trailA:
audadmin -o start -f /audit/trailA
To switch to the file /audit/trailB:
audadmin -o switch -f /audit/trailB
To stop auditing (after this, no more audit records will be collected
until auditing is restarted):
audadmin -o stop
Set the muststart flag to "on":
audadmin -o muststart on
All attempts to bring the system out of single-user mode will fail if
auditing is not on. If you use this option, make sure that
/etc/inittab is configured to start auditing.
To set the mustaudit flag to "off" (if auditing cannot continue, the
system will run without auditing):
audadmin -o mustaudit off
To print the audit system state:
# audadmin -o query
Auditing is OFF
Must start: OFF
Must audit: ON
System audit mask:
SYSTEM
filename: /audit/TrailB
Subject MAC range filtering is OFF
Object MAC range filtering is OFF
Audit subjects in range: -L USER_LO -H USER_LO
Audit objects in range: -L USER_LO -H USER_HI
Audit trail MAC label: ADMIN_AUDIT_DATA
#
Note that the last trail file name is preserved. If auditing is
restarted and no new trail file name is given, the current one,
/audit/TrailB will be used.
FILES
/etc/tcb/audit/audit_mask_defs File of basic aliases for classes
and reasons
/etc/tcb/audit/audit_alias_defs File defining additional audit
aliases
/etc/inittab Script for init(1M)
DIAGNOSTICS
Exit status is 0 if successful, 1 on error.
SEE ALSO
audprint(1M), audselect(1M), init(1M), audit_alias_defs(4M),
audit_mask_defs(4M), inittab(4).
Managing Security Auditing on the DG/UX System.
Licensed material--property of copyright holder(s)