auditon(1M) auditon(1M)
NAME
auditon - enable auditing
SYNOPSIS
auditon
DESCRIPTION
The auditon shell level command allows the administrator with
the appropriate privileges to enable auditing. The privileges
required are audit, dacread, macwrite and setplevel.
When auditon is invoked, it retrieves the default values for
the AUDIT_LOGERR, AUDIT_LOGFULL, and AUDIT_DEFPATH parameters
from the /etc/default/audit file. If access to the file is
denied or if any of the key words is missing or invalid, an
error message is printed (see DIAGNOSTICS). The default value
for the AUDIT_LOGERR and AUDIT_LOGFULL parameters is DISABLE.
The default value for the AUDIT_DEFPATH parameter is
/var/audit.
If the event log file is a regular file, the AUDIT_NODE
parameter is evaluated. If the value of AUDIT_NODE is longer
than 7 characters or contains a slash, it is not used and no
node name is appended to the log file name. If the value of
AUDIT_NODE is valid, it is appended to the log file name.
If the value of AUDIT_LOGFULL is SWITCH, the AUDIT_PGM
parameter is evaluated. If the value of AUDIT_PGM is valid,
it is used as the absolute pathname of a program to execute
when a log switch occurs. The AUDIT_DEFPATH and AUDIT_NODE
parameters are also evaluated, and their values used for the
alternate log file name and alternate node name.
The auditlog command may be used to override all but the
AUDIT_LOGERR parameter.
When auditon is invoked, it initializes the audit event log
file. If auditon is invoked when the maximum number of audit
files already exist, an error message is displayed (see
DIAGNOSTICS). In such cases, editing /etc/default/audit to
change the AUDIT_DEFPATH parameter controlling which directory
log files will be placed may be helpful.
If the event log file cannot be accessed an error message is
displayed (see DIAGNOSTICS). When the auditon command
completes successfully, the following message is displayed:
Copyright 1994 Novell, Inc. Page 1
auditon(1M) auditon(1M)
Auditing enabled filename
In this case, filename is the name of the audit log file.
The auditon command invokes the auditmap command to create the
audit map files.
Auditing remains enabled while the system is running until the
auditoff command is executed, or the log full condition of
DISABLE or SHUTDOWN occurs, or an audit error is encountered.
DIAGNOSTICS
On successful completion, the auditon command exits with a
value of zero (0). If there is an error, it exits with one of
the following values and prints the corresponding error
message:
1 usage: auditon
Invalid command syntax.
3 system service not installed
The audit package is not installed.
4 Permission denied
Failure because of insufficient privilege.
8 auditlog() failed ALOGGET, errno = errno
Failure occurred while getting audit log file attributes.
9 auditlog() failed ALOGSET, errno = errno
Failure occurred while setting audit log file attributes.
12 auditctl() failed ASTATUS, errno = errno
Failure occurred while retrieving the status of auditing.
17 cannot access event log current log file
Failure occurred while attempting to enable auditing.
Copyright 1994 Novell, Inc. Page 2
auditon(1M) auditon(1M)
17 Internal error, errno = errno
Failure occurred while attempting to enable auditing.
17 the maximum (999) number of audit event log files for a
given day exist
The maximum number of audit event log files exist,
auditing is not enabled.
17 auditing abnormally terminated log file
Before command completion auditing was terminated by
another process.
24 unable to malloc space
24 argvtostr() failed
33 exec of program name failed
36 fork() failed
The following warning messages may be printed:
Auditing already enabled
none or invalid AUDIT_LOGERR=value found in /etc/default/audit
cannot access /etc/default/audit
The /etc/default/audit file cannot be accessed. Default
values described in the DESCRIPTION section are used.
Auditing is enabled.
none or invalid AUDIT_LOGFULL=value found in /etc/default/audit
none or invalid AUDIT_DEFPATH=value found in /etc/default/audit
auditlog() failed ALOGGET, errno = errno
Auditing is enabled, however failure occurred when
retrieving audit log attributes before changing
owner/group of audit log file.
Copyright 1994 Novell, Inc. Page 3
auditon(1M) auditon(1M)
FILES
/etc/default/audit
/var/audit/MMDD###
/etc/init.d/audit
/etc/rc2.d/S02audit
REFERENCES
auditdmp(2), auditlog(1M), auditmap(1M), auditoff(1M),
auditrpt(1M), auditset(1M), defadm(1M)
Copyright 1994 Novell, Inc. Page 4