Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ audit_alias(4) — Motorola System V 88k Release 4 Version 4.3

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

login(1)

audit(1M)

aualiasmgmt(1M)

auclassmgmt(1M)

auclass(4)

audit(4)

aumask(4)

audit_sys(5)

audit_alias(4)  —  FILE FORMATS

NAME

audit_aliases − audit system alias definition file

SYNOPSIS

#include <sys/audit.h>
#include <aualias.h>

DESCRIPTION

/var/security/audit_aliases describes aliases used in /var/security/aumask.  This information is used by login(1) (via a_create_mask(3)) to specify the events to be audited for each user. 

An event is a command or system call that performs an action that is recorded.  Reasons for an audit event are as follows:

Event success

Event failure, which includes the following:

DAC failure
Privilege failure (user is not root)

Covert channel use

Other events

Whether to record successes and failures can be specified for each event class and for each reason (see audit_sys(5) and audit(4)). 

The format of the information in /var/security/audit_aliases is

alias_name: identifier1, identifier2, ...

where alias_name is an identifying name for the following list of classes to be audited, and identifier is either the name of another audit alias (providing for multiple levels of abstraction) or a string of the form

r{class1, class2, ...}

where r is a reason for an audit followed by a set of classes enclosed in braces, { }, and class# is the class name of a group of similar commands or system calls.  Multiple classes are separated by commas.  If no classes are specified, the effect will be equivalent to specifying all classes. 

The reason code r is a single letter specifying the type of reason.  It can be any one of the following:

   s Successful

   d DAC failure

   c Covert channel

   p Privilege failure

   o Other

audit(4) gives a list of reasons and classes for all commands and system calls. 

The audit_aliases file is provided for use by a_create_mask(3) and getaaent(3) and associated routines. 

Lines beginning with white space are continuation lines.  Lines beginning with a pound sign (#) are comments. 

Alias names are composed of uppercase and lowercase characters, digits, and the underscore.  The maximum number of characters in an alias name is 45 (as defined by MAX_ALIAS_LEN in <sys/audit.h>). 

The aualias structure is defined in the <aualias.h> header file as follows:

struct aualias
{
char∗aa_name;
char∗aa_aualias;
}

EXAMPLES

open_alias:  s{open}, d{open}
Specifies audit on a successful open class or on an DAC failure for an open class. 

success: s{open,fork,exec,link}
Specifies audit on successful open, fork, exec, or link classes. 

dac_fail: d{chdir}
Specifies audit on DAC failures for chdir class. 

other: o{ }
Specifies audit on all "other" events.

genuser: p{mount}, d{open,link}, s{open, fork, exec, link}
Specifies a general user set of audits.  In this example, audit would occur on privilege failures for mounting file systems; DAC failure for opening or linking files; and success for open, fork, exec, and link classes.  This alias would be referenced in /var/security/aumask on a per-user basis. 

specuser: other,d{open,chown},success
Specifies audit on all "other" events (as defined by the alias other), on DAC failure of open or chown classes, and on certain types of successes (as defined by the alias success). 

FILES

/var/security/audit_aliases defines audit system aliases

/var/security/aumask defines user audit masks

/var/security/auclass defines audit class names

SEE ALSO

login(1), audit(1M), aualiasmgmt(1M), auclassmgmt(1M), auclass(4), audit(4), aumask(4), audit_sys(5)

(Security Enhancement)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026