Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ audit(1M) — sys5 — Apollo Domain/OS SR10.4

Media Vault

Software Library

Restoration Projects

Artifacts Sought

audit(1M)                       Domain/OS SysV                       audit(1M)




NAME
     audit - monitor event types on nodes and collect resulting audit log
     files

SYNOPSIS
     audit [general_option]

     general options:

        [-e[nable] [node...] [-l[ist]]]
        [-d[isable] [node...] [-l[ist]]]
        [-t[ypes] [event_list] [-n[ode] [node...]] [-l[ist]]]
        [-s[tatus] [node...]]
        [-fw [seconds] [node...] [-l[ist]]]
        [-c[ollect] -n[ode] [node...] [-reset | interval] [-size] number [k | m | g]]
                       [-dir [path]] [-l[ist]]]


DESCRIPTION
     The audit command:

     ⊕  Enables or disables auditing on specified nodes

     ⊕  Defines event types to be monitored on audited nodes

     ⊕  Displays auditing status for specified nodes

     ⊕  Sets a forced write period for updating a node's audit log file

     ⊕  Collects log files from audited nodes on an ad-hoc or scheduled basis

   Audit Software
     The software for the Audit Subsystem is provided with the Domain/OS
     SR10.2 release tape, but must be installed explicitly.  It resides in the
     /etc/audit directory on each SR10.2 node.  Once it is installed, you must
     enable it on each node.

   Active Log Files
     For each occurrence of a defined event type, the Audit Subsystem writes a
     record to the audit log file. Each audited node maintains its active log
     file in the `node_data/audit directory.  Audit log file names start with
     the audit_log prefix.

   Collected Log Files
     When you collect a log file from a node (via the -collect option), the
     Audit Subsystem closes the active log file and moves it to a specified
     storage directory.  The filenames for collected log files take the form
     audit_log.date-time.node_id, where date-time is the date and time at
     which the log file was started (in yymmddhhmmss format) and node_id is
     the hexadecimal node ID of the node from which you collected the file.
     The audit_report command lets you dump collected log files in text form.

OPTIONS
     The audit command provides the following options:

     [-e[nable] [node...] [-l[ist]]]
               Activates the Audit Subsystem on one or more specified nodes.
               If you do not specify a node, the default is the current node.
               The -l[ist] argument displays the command's results for each
               specified node.  Actual auditing does not begin on a node until
               you define event types for that node (see the -types option).

     [-d[isable] [node...] [-l[ist]]]
               Deactivates the Audit Subsystem on one or more specified nodes.
               If you do not specify a node, the default is the current node.
               The -l[ist] argument displays the command's results for each
               specified node.

     [-t[ypes] [event_list] [-node] [node...]] [-l[ist]]]
               Defines a list of event types and sends it to one or more
               specified nodes. If you do not specify a node, the default is
               the current node.  The -l[ist] argument displays the command's
               results for each specified node.  For event_list specify

               ⊕  The keyword none for no event types.  The none entry nulls
                  the event list already in effect on a node without disabling
                  auditing on the node.

               ⊕  The keyword all for all event types.  Use all with caution.
                  Monitoring all event types has a serious impact on a node's
                  performance and can produce a very large log file.

               ⊕  One or more event type names.  Separate multiple names with
                  spaces.  See "Event Types".

               ⊕  One or more event type category names.  Separate multiple
                  names with spaces.  Event type categories are groupings of
                  event types.  If you specify a category, you select all of
                  the event types within that category.  The following table
                  shows the five available categories.

               ⊕  The pathname of an ASCII file containing the event types and
                  categories to be defined.

                                     Event Type Categories
             _____________________________________________________________________
            |_Category|__Description_____________________________________________|
            | domain  |  Event types internal to the Domain/OS                   |
            |_________|__________________________________________________________|
            |_login___|__Event_types_associated_with_log-in_and_log-out_events___|
            | pfm     |  Event types associated with signals and faults          |
            |_________|__________________________________________________________|
            |_pgm_____|__Event_types_associated_with_program_execution___________|
            | pm      |  Event types associated with process creation and control|
            |_________|__________________________________________________________|

                  You can combine categories with individual event types from
                  other, nonspecified categories.

     [-s[tatus] [node...]]
               Returns status information on one or more audited nodes.  If
               you do not specify a node, the default is the current node.

     [-fw [seconds] [node...] [-l[ist]]]
               Sets a forced write period (in seconds) for the log file on one
               or more audited nodes. If you do not specify a node, the
               default is the current node.  The forced write period controls
               how often the active memory version of the log file is written
               to disk.  The default forced write period is 120 seconds (two
               minutes).  The -l[ist] argument displays the command's results
               for each specified node.

     [-c[ollect] -n[ode] [node...] [-reset | interval] [-size] number k | m | g]]
                            [-dir [path]] [-l[ist]]]
               Collects audit log files from one or more specified nodes.  If
               you do not specify a node, the default is the current node.
               The Audit Subsystem moves the log file from each node to the
               directory specified by -dir path.  If you do not specify a
               directory, the Audit Subsystem closes the active log file but
               leaves it in the node's `node_data/audit directory.  The
               -l[ist] argument displays the command's results for each
               specified node.

               For ad-hoc (immediate) collection, do not specify -reset,
               interval, or -size.

               The -reset option cancels any scheduled collection interval in
               effect for the specified node(s).

               For scheduled automatic collection, specify interval using one
               or more of the following options:

               ⊕  [-time hh:mm:ss] to define the time of day at which to
                  collect the log file(s).  Specify time of day in standard
                  system time (24-hour clock).  Omitting the -time option
                  cancels the time of day currently in effect for the
                  specified node(s).

               ⊕  [-day day] to define the day of the week on which to collect
                  the log file(s).  Specify day as m (for Monday), tu (for
                  Tuesday), w (for Wednesday), th (for Thursday), f (for
                  Friday), sa (for Saturday), or su (for Sunday). Omitting the
                  -day option cancels the day of the week currently in effect
                  for the specified node(s).

               ⊕  [-period dd | hh:mm:ss] to define the period between
                  collections.  Specify the period as a number of days (dd) or
                  as a number of hours, minutes, and seconds (hh:mm:ss).  Use
                  a period of hours and minutes for any interval less than one
                  day (24 hours).  Omitting the -period option cancels the day
                  of the week currently in effect for the specified node(s).

               Note that you can also define a collection interval by
               combining time, day, and period, as shown in the following
               table.

          ____________________Collection_Interval_Combinations____________________
         | Combination          |  Results                                       |
         |______________________|________________________________________________|
         | time and day         |  Collection occurs weekly on the specified day |
         |______________________|__at_the_specified_time.________________________|
         | time and period      |  Collection starts at the specified time on    |
         |                      |  the current day and occurs thereafter at      |
         |                      |  the specified period.                         |
         |______________________|________________________________________________|
         | day and period       |  Collection starts at the current time on the  |
         |                      |  next occurrence of the specified day and      |
         |______________________|__occurs_thereafter_at_the_specified_period.____|
         | time, day, and period|  Collection starts at the specified time on the|
         |                      |  next occurrence of the specified day and      |
         |                      |  occurs thereafter at the specified period.    |
         |______________________|________________________________________________|

               The -s[ize] option sets a maximum size for the log file(s) on
               the specified node(s).  Specify the size as an integer value.
               The default unit is bytes, but you can also specify
               k(ilobytes), m(egabytes), or g(igabytes).  When a log file
               reaches the specified size, it is collected immediately.  You
               can use this option in combination with interval to set a
               failsafe limit.  The Audit Subsystem still collects the log
               file at the next scheduled interval.

EVENT TYPES
     The following tables list the event types by category. A description is
     provided for each supported event type.


           _____________________Domain_Event_Types_____________________
          | Event Type |  Indicates that ...                          |
          |____________|______________________________________________|
          | acquire_ct |  A process has requested exclusive access    |
          |____________|__to_the_cartridge_tape_device_on_the_node.___|
          | acquire_lpr|  A process has requested access to a line    |
          |            |  printer device.  This event type occurs     |
          |            |  only on SAU3-type machines.                 |
          |____________|______________________________________________|
          | acquire_mt |  A process has requested exclusive access    |
          |            |  to a magnetic tape device.  This event      |
          |____________|__type_occurs_only_on_multibus_machines.______|
          | area_map   |  An area has been mapped by a process        |
          |            |  other than the owning process.  Note that   |
          |            |  an area is a special type of temporary      |
          |            |  object that is not part of the file system, |
          |            |  but is a creation of the virtual memory     |
          |            |  (VM) system alone.                          |
          |____________|______________________________________________|
                                                                  (Continued)


         _______________________Domain_Event_Types_______________________
        | Event Type        |  Indicates that ...                       |
        |___________________|___________________________________________|
        | assign_disk       |  A process has requested block access to  |
        |                   |  a disk device through a nonpublic        |
        |                   |  library/kernel call.  Successful         |
        |                   |  assignment of a disk gives the caller    |
        |                   |  complete access to its contents by       |
        |                   |  specifying a block number (daddr).       |
        |                   |  Commands that use this type of access    |
        |___________________|__include_salvol,_invol,_and_calendar._____|
        | audit_proc        |  The audit process has received a command |
        |                   |  to start auditing of the calling process.|
        |___________________|___________________________________________|
        | dir_add_baku      |  A process has requested generation of a  |
        |                   |  '.bak' file.  If there is an existing    |
        |                   |  '.bak' file, it is overwritten by the    |
        |___________________|__new_'.bak'_file._________________________|
        | dir_add_link      |  A process has requested the creation or  |
        |                   |  replacement of a soft link.              |
        |___________________|___________________________________________|
        | dir_add_hard_link |  A process has requested the creation or  |
        |___________________|__replacement_of_a_hard_link.______________|
        | dir_add_name      |  A process has requested that a pathname  |
        |                   |  be cataloged in the file system, in      |
        |                   |  association with object creation.        |
        |                   |  Note that Domain allows objects to be    |
        |                   |  created without their being cataloged.   |
        |                   |  Temporary objects are the most common    |
        |                   |  example of this class of object.         |
        |___________________|___________________________________________|
        | dir_change_name   |  A process has requested that the leaf    |
        |                   |  of an object be changed (for example, by |
        |___________________|__issuing_the_chn_command).________________|
        | dir_create        |  A process has requested the creation of  |
        |                   |  a directory, usually via a /bin/mkdir    |
        |                   |  or /com/crd command.                     |
        |___________________|___________________________________________|
        | dir_delete        |  A process has requested the deletion     |
        |___________________|__of_a_directory.__________________________|
        | dir_dismount      |  A process has requested that a           |
        |                   |  directory be dismounted from the Domain  |
        |                   |  file system, usually via the dmtvol or   |
        |                   |  umount command.                          |
        |___________________|___________________________________________|
        | dir_drop_link     |  A process has requested the deletion of  |
        |___________________|__an_existing_soft_link.___________________|
        | dir_drop_hard_link|  A process has requested the deletion     |
        |                   |  of an existing hard link.                |
        |___________________|___________________________________________|
                                                                  (Continued)


         _______________________Domain_Event_Types_______________________
        | Event Type      |  Indicates that ...                         |
        |_________________|_____________________________________________|
        | dir_drop_name   |  A process has requested the removal of a   |
        |                 |  pathname from the Domain file system,      |
        |_________________|__usually_by_deleting_an_object._____________|
        | dir_mount       |  A process has requested that a             |
        |                 |  directory be mounted in the Domain         |
        |                 |  file system, usually in association with   |
        |                 |  a disk mount.                              |
        |_________________|_____________________________________________|
        | dir_resolve     |  The auditor wishes to log a UID-name       |
        |                 |  pair for all dir_$resolve resolutions that |
        |                 |  eventually point to file system objects    |
        |                 |  on the audited system.  Specify this event |
        |                 |  type to return the full path names of      |
        |_________________|__files_accessed,_protected,_and_so_forth.___|
        | dir_set_def_prot|  A process has requested that one or both   |
        |                 |  of the initial default protections on a    |
        |                 |  directory be modified.                     |
        |_________________|_____________________________________________|
        | dir_set_prot    |  A process has requested that the actual    |
        |_________________|__protections_on_a_directory_be_modified.____|
        | dismount_lv     |  A process has requested that a logical     |
        |                 |  volume be released and its contents made   |
        |                 |  unavailable through the Domain file        |
        |                 |  system.                                    |
        |_________________|_____________________________________________|
        | enter_subs      |  A process has attempted to gain the        |
        |                 |  privileges of a protected subsystem        |
        |                 |  manager, by issuing a call to the          |
        |                 |  ACL_$UP kernel SVC.  The name of the       |
        |                 |  protected subsystem is provided in         |
        |_________________|__the_event_data.____________________________|
        | file_lock       |  A process has requested access to an       |
        |                 |  object.  The lock type indicates the       |
        |                 |  type of access (r,w,x) attempted.  Note    |
        |                 |  that an object lock request does not       |
        |                 |  guarantee that an access will actually     |
        |                 |  be attempted.                              |
        |_________________|_____________________________________________|
        | file_set_prot   |  A process has requested that the actual    |
        |_________________|__protections_on_a_file_be_modified._________|
        | ignore_proc     |  The audit process has received a           |
        |                 |  command to cease auditing of the           |
        |                 |  calling process.                           |
        |_________________|_____________________________________________|
                                                                  (Continued)


         _______________________Domain_Event_Types________________________
        | Event Type   |  Indicates that ...                             |
        |______________|_________________________________________________|
        | mount_disk   |  A process has requested that a file            |
        |              |  system on a disk volume be made                |
        |              |  available.  The request can occur via          |
        |              |  the /com/mount or /etc/mount command           |
        |              |  or via a user-callable (but not                |
        |______________|__public)_library/kernel_call.___________________|
        | mount_lv     |  A process has requested a mount of a           |
        |              |  logical volume on a disk.  If the              |
        |              |  request is successful, the logical             |
        |              |  volume is made availiable via the              |
        |              |  Domain file system.                            |
        |______________|_________________________________________________|
        | name_set_ndir|  A process has issued a request to change       |
        |              |  its naming directory.  The UID of the new      |
        |______________|__naming_directory_is_recorded_in_the_log_entry._|
        | name_set_wdir|  A process has issued a request to change       |
        |              |  its working directory.  The UID of the new     |
        |              |  working directory is recorded in the log entry.|
        |______________|_________________________________________________|
        | null         |  A null has been used as a filler at            |
        |              |  the end of a segment.  The null                |
        |              |  contains no security-relevant                  |
        |______________|__information.___________________________________|
        | read_list    |  The audit process has received a               |
        |              |  control command to read the contents           |
        |              |  of the `node_data/audit/audit_list             |
        |              |  file.  This usually indicates a                |
        |              |  change in the event types to be                |
        |              |  audited or a change in some control            |
        |              |  information for the audit process.             |
        |______________|_________________________________________________|
        | reopen_log   |  The audit process has been directed            |
        |              |  to open a new log file.  If a                  |
        |              |  current log file exists, the audit             |
        |              |  process appends any additional                 |
        |              |  audit data to it and closes it                 |
        |______________|__before_opening_the_new_log_file._______________|
        | scsi_acquire |  A process has requested exclusive              |
        |              |  access to a SCSI bus device, which             |
        |              |  may be a disk, tape, or other                  |
        |              |  device type.                                   |
        |______________|_________________________________________________|
                                                                  (Continued)


                ________________Domain_Event_Types________________
               | Event Type |  Indicates that ...                |
               |____________|____________________________________|
               | set_sid    |  A process has made a call to the  |
               |            |  kernel routine that changes the   |
               |            |  subject identifier of a process.  |
               |            |  The process has done one of the   |
               |            |  following:                        |
               |            |  ⊕ Changed the identity of the     |
               |            |    user associated with it         |
               |            |  ⊕ Executed a set[uid,gid] program |
               |            |  ⊕ Entered or left a protected     |
               |            |    subsystem                       |
               |            |  Events of this type are usually   |
               |            |  generated by a user's logging in  |
               |____________|__or_out.___________________________|
               | start_audit|  The audit process has received    |
               |            |  a command to start auditing on    |
               |            |  this node.                        |
               |____________|____________________________________|
               | stop_audit |  The audit process has received    |
               |            |  a command to cease auditing on    |
               |____________|__this_node.________________________|


                                 Login Event Types
                 _________________________________________________
                |_Event_Type|__Indicates_that_...________________|
                | login     |  A call has been made to the login |
                |           |  library, either to the            |
                |           |  login_$full_login or              |
                |           |  login_$chk_login routine.  These  |
                |           |  routines provide the major        |
                |           |  interface to the distributed      |
                |           |  registry and are used to identify |
                |           |  and validate users.  An event of  |
                |           |  this type can occur when a user   |
                |           |  attempts to log in to the display |
                |           |  manager or a window.  An event of |
                |           |  this type may also be             |
                |           |  associated with an event of the   |
                |           |  spmlogin or siologin type.  An    |
                |           |  event of this type is recorded    |
                |           |  by the login library routines.    |
                |___________|____________________________________|
                                                                  (Continued)


                _________________Login_Event_Types________________
               | Event Type|  Indicates that ...                 |
               |___________|_____________________________________|
               | siologin  |  A user has attempted to log in     |
               |           |  to a node via a serial I/O line.   |
               |           |  The data provided with the event   |
               |           |  record identifies the line         |
               |           |  involved.  An event of this type   |
               |           |  is recorded by the siologin        |
               |           |  program and may be associated      |
               |___________|__with_an_event_of_the_login_type.___|
               | siologout |  A login session initiated from a   |
               |           |  serial I/O line has terminated.    |
               |           |  An event of this type is recorded  |
               |           |  by the siologin program.           |
               |___________|_____________________________________|
               | spmlogin  |  A user has attempted to log in to  |
               |           |  a node via the Server Process      |
               |           |  Manager (SPM).  The data provided  |
               |           |  with the event record identifies   |
               |           |  the node from which the login was  |
               |           |  attempted.  An event of this type  |
               |           |  is recorded by the spmlogin        |
               |           |  program and may be associated with |
               |___________|__an_event_of_the_login_type.________|


                                  PFM Event Types
              ______________________________________________________
             |_Event_Type___|__Indicates_that_...__________________|
             | signal       |  A process has attempted to send a   |
             |              |  signal, either to itself or to      |
             |              |  another process.  The event data    |
             |              |  includes the signal value, the      |
             |              |  fault status value, and the PID     |
             |              |  of the target process.              |
             |______________|______________________________________|
             | signal_pgroup|  A  process has attempted to send    |
             |              |  a signal to a process group.  The   |
             |              |  event data includes the signal      |
             |              |  value, the fault status value, and  |
             |______________|__the_GID_of_the_target_process_group.|


                                  PGM Event Types
                __________________________________________________
               |_Event_Type_|__Indicates_that_...________________|
               | exec       |  An exec call has been attempted.  |
               |            |  If an error occurs before the     |
               |            |  system makes the call, a non-zero |
               |            |  status appears in the event       |
               |            |  record.  A successful exec call   |
               |            |  is recorded when the system has   |
               |            |  committed to making the exec      |
               |            |  call, but BEFORE the call is      |
               |            |  actually made.  The event data    |
               |            |  includes the arguments to the     |
               |            |  exec'd program.                   |
               |____________|____________________________________|
               | invoke     |  A call has been made to the       |
               |            |  pgm_$invoke library routine.      |
               |            |  This routine is used for both     |
               |            |  execs and forks.  The event       |
               |            |  data includes the input           |
               |____________|__arguments_to_the_invoked_program._|
               | inproc_up  |  A call has been made to the       |
               |            |  pgm_$invoke library routine.      |
               |            |  As a result of the call, a        |
               |            |  program is executed in the        |
               |            |  current process and then          |
               |            |  returns to the current            |
               |            |  environment.  An event of         |
               |            |  this type is recorded before      |
               |            |  the process level is actually     |
               |            |  incremented and the new           |
               |            |  program loaded and executed.      |
               |            |  The event data identifies the     |
               |            |  program to be executed and any    |
               |            |  input arguments.                  |
               |____________|____________________________________|
               | inproc_down|  A call has been made to the       |
               |            |  pgm_$invoke library routine.      |
               |            |  An event of this type is          |
               |            |  recorded after the process        |
               |            |  has executed and the process      |
               |            |  level has been decremented.       |
               |            |  The event data identifies the     |
               |            |  program executing at the new      |
               |____________|__level_and_any_input_arguments.____|


                                  PM Event Types
                 ________________________________________________
                |_Event_Type|__Indicates_that_..._______________|
                | exit      |  Process 1 is terminating and     |
                |           |  the system is shutting down to   |
                |           |  at least the boot shell level.   |
                |___________|___________________________________|
                | fork      |  A process has made a fork call.  |
                |           |  An event of this type is         |
                |           |  recorded by the parent process.  |
                |           |  The event data includes the      |
                |           |  PID, PPID, and PGID of the       |
                |           |  parent process and the PID of    |
                |___________|__the_child_process._______________|
                | fork_child|  A new child process has been     |
                |           |  vforked.  An event of this type  |
                |           |  is recorded by the new child     |
                |           |  process as it returns from the   |
                |           |  pm_$vfork routine.               |
                |___________|___________________________________|
                | init      |  A new process has called         |
                |           |  pm_$init to start its first      |
                |           |  routine.The event data includes  |
                |           |  the PID, PPID, and PGID of the   |
                |___________|__calling_process._________________|
                | invoke    |  A new process has called         |
                |           |  pm_$invoke to invoke a           |
                |           |  program.  The event data         |
                |           |  includes the PID, PPID,          |
                |           |  and PGID of the parent           |
                |           |  process.                         |
                |___________|___________________________________|
                | startup   |  An entry has been made           |
                |           |  into process 1, indicating       |
                |           |  that the system is booting       |
                |___________|__to_a_multiuser_mode._____________|
                | term      |  A process has terminated.        |
                |           |  The event data includes the      |
                |           |  PID, PPID, and PGID of the       |
                |           |  process.                         |
                |___________|___________________________________|
                                                                  (Continued)


                 _________________PM_Event_Types_________________
                | Event Type |  Indicates that ...              |
                |____________|__________________________________|
                | vfork      |  A process has made a vfork      |
                |            |  call.  A vfork is a `fast'      |
                |            |  fork and is used for a child    |
                |            |  process that is expected to     |
                |            |  execute or die immediately.     |
                |            |  An event of this type is        |
                |            |  recorded by the parent          |
                |            |  process.  The event data        |
                |            |  includes the PID, PPID, and     |
                |            |  PGID of the parent process      |
                |            |  and the PID of the child        |
                |____________|__process.________________________|
                | vfork_child|  A new child process has been    |
                |            |  vforked.  An event of this type |
                |            |  is recorded by the new child    |
                |            |  process as it returns from the  |
                |            |  pm_$vfork routine.              |
                |____________|__________________________________|


EXAMPLES
     The following examples illustrate how the audit options work:

     ⊕  To activate the Audit Subsystem on the auditor node (//my_node) and on
        three audited nodes:

        $ audit -enable //my_node //node1 //node2 //node3


     ⊕  To send an event list consisting of the pm and login event type
        categories to two audited nodes:

        $ audit -types pm login -node //node1 //node3


     ⊕  To return auditing status for one audited node:

        $ audit -status //node1


     ⊕  To set a forced write period of 30 seconds for the log file on an
        audited node:

        $ audit -fw 30 //node3


     ⊕  To perform ad-hoc log file collection from two audited nodes and move
        the files to the /log_store directory on the auditor node (//my_node):

        $ audit -collect -node //node1 //node2 -dir //my_node/log_store


     ⊕  To schedule automatic log file collection for two nodes for 3:30 a.m.
        on Sunday, using the /log_store directory on the auditor node
        (//my_node) as the storage directory:

        $ audit -collect -node //node3 //node4 -dir //my_node/log_store
                  -time 3:30 -day su


     ⊕  To deactivate the Audit Subsystem on an audited node and display the
        results:

        $ audit -disable //node2 -list


SEE ALSO
     audit_report

     audit_daemom

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026