audadmin(1M) C2 Trusted DG/UX 5.4.2T audadmin(1M)
NAME
audadmin - perform audit administration functions
SYNOPSIS
audadmin -o sysmask [alias | mask | -f aliasfile]
audadmin -o start [-f trailfile ]
audadmin -o stop
audadmin -o switch -f trailfile
audadmin -o query [-c | -h]
audadmin -o settrail -f trailfile
audadmin -o flush
audadmin -o muststart [ on | off ]
audadmin -o mustaudit [ on | off ]
where:
trailfile
is the name of the file to which audit records should be
written.
alias is an audit alias string.
mask is an audit mask string.
aliasfile
is the name of file from which to read an audit mask or alias
string.
DESCRIPTION
The audadmin command performs the various audit administration
functions according to the operation chosen. The options and
operations are:
sysmask
This option sets the system audit mask. The value following
sysmask can be a mask string, an alias string, or -f followed
by the name of a file containing a mask or an alias string.
The system audit mask will be set to the value given. If the
command fails, the system audit mask will remain unchanged.
start This turns on auditing. If a trailfile is given, audit
records will be written to trailfile. Otherwise, audit
records will go to the current trail file. If auditing is
already on, the command reports an error. If the trailfile is
not a absolute pathname, the system will ask for confirmation
to assume the trailfile pathname is relative the current
working directory.
stop This option stops auditing, writes a trail tail record, then
closes the current trail file. If auditing is already
stopped, the command reports an error.
switch This changes trail files without stopping auditing. trailfile
becomes the new current trail file. This option can only be
used when auditing is on. If auditing is not currently on,
the command reports an error.
query This prints the current state of the auditing system. It
Licensed material--property of copyright holder(s) 1
audadmin(1M) C2 Trusted DG/UX 5.4.2T audadmin(1M)
indicates whether auditing is on, off, or stopped by the
system (due to an auditing failure), whether the system will
shutdown upon a startup failure or upon an auditing failure,
what the current system audit mask is and what the current
trailspec is. If the -c option is included, the canonical
form of the system audit mask will be printed instead of an
alias. For example:
chdir : (S,PS,CS)
+ mkdir : (S,PS,CS)
If the -h option is included, a hex dump of the audit mask
will be printed instead of an alias. (The -c and -h options
are mutually exclusive.)
settrail
Replaces the current trailspec so that when auditing is
started, the new trailspec will be the current one. This
option can be used only when auditing is off. If auditing is
not currently off, the command reports an error.
flush This option will cause all in-memory audit records to be
written to the current audit trail file, ensuring that the
file is up-to-date. Normally, audit records are buffered in
memory and written to the trail file only when a buffer is
filled or auditing is stopped or switched to a new file. This
option should be used before invoking audprint on an active
audit trail file. This option can only be used when auditing
is on. If auditing is not currently on, the command reports
an error.
muststart
This option requires the on or off parameter. When on, any
attempts to bring the system out of single-user mode will fail
if auditing is not on.
mustaudit
This option requires the on or off parameter. When on, the
system will go to single-user mode if auditing cannot
continue.
The system has the concept of a current trailspec. A
trailspec (audit trail specification) contains the trail file
name and other system information about the trail file. While
auditing is on, the current trailspec contains the trail
filename to which the system is writing audit records. When
auditing is turned off, the current trailspec remains
unchanged, thus it will become the active trailspec when
auditing is turned on again if a new trailspec is not given.
The current trailspec will change under three conditions.
One, the settrail operation can be used while auditing is off
so that the current trailspec will be different when auditing
is turned back on. Two, the switch operation can be used
while auditing is on. Three, auditing can be started with a
new trail file specified. See the Audit System
Licensed material--property of copyright holder(s) 2
audadmin(1M) C2 Trusted DG/UX 5.4.2T audadmin(1M)
Administrator's Guide for more details.
EXAMPLES
# audadmin -o sysmask system
Set the system audit mask to the alias "system".
# audadmin -o start -f /audit/trailA
Start auditing to the file /audit/trailA
# audadmin -o switch -f /audit/trailB
Switch to the file /audit/trailB.
# audadmin -o stop
Stop auditing. After this, no more audit records will be collected
until auditing is restarted.
# audadmin -o muststart on
Set the muststart flag to "on." All attempts to bring the system out
of single-user mode will fail if auditing is not on. If you use this
option, make sure that /etc/inittab is configured to start auditing.
# audadmin -o mustaudit off
Set the mustaudit flag to "off." If auditing cannot continue, the
system will run without auditing.
# audadmin -o query
Auditing is OFF
Must start: OFF
Must audit: ON
System audit mask: SYSTEM
Filename: /audit/TrailB
Print the audit system state. Note that the last trail file name is
preserved. If auditing is restarted and no new trail file name is
given, the current one, /audit/TrailB will be used.
FILES
/etc/tcb/audit/auditmaskdefs File of basic aliases for classes and
reasons.
/etc/tcb/audit/auditaliasdefs File defining additional audit
aliases.
/etc/inittab Script for init(1m).
DIAGNOSTICS
Exit status is 0 if successful, 1 on error.
Licensed material--property of copyright holder(s) 3
audadmin(1M) C2 Trusted DG/UX 5.4.2T audadmin(1M)
SEE ALSO
audprint(1M), audselect(1M), auditaliasdefs(4M),
auditmaskdefs(4M), init(1M), inittab(4).
Audit System Administrator's Guide for the C2 Trusted DG/UX System.
Licensed material--property of copyright holder(s) 4