dxaudit man page on DigitalUNIX

Man page or keyword search:  
man Server   12896 pages
apropos Keyword Search (all sections)
Output format
DigitalUNIX logo
[printable version]

dxaudit(8X)							   dxaudit(8X)

       dxaudit - Motif Interface for the Audit Subsystem


       The  dxaudit  application is a Motif graphical user interface which can
       be used to administer the audit subsystem.  Three major areas  comprise
       the  audit  subsystem:  Control, Collection, and Reporting.  Currently,
       dxaudit supports Collection and Reporting only.	See the auditd(8) ref‐
       erence page for details on administering the Control function.

       In order to invoke dxaudit, you must be the root user.

   Audit Event Overview
       Audit events are comprised of the following types: System calls include
       all entry points into the UNIX kernel including	habitat	 events	 which
       are  denoted  by the <habitat name>/<system call>, like `SystemV/open'.
       Trusted events are application-defined events  which  represent	higher
       level  activity.	  For  example,	 login is a trusted event.  To audit a
       user login at the system call level would produce  many	audit  events,
       whereas	to  audit  the	login event would capture essentially the same
       information in a very concise way.  Site events provide a mechanism for
       a  site	to  extend  the	 audit subsystem's list of audit events.  Site
       events can be defined in /etc/sec/site_events.  A site event  can  con‐
       tain  subevents	which  are  finer-grained  audit  events within a site

       In addition to these events, the administrator can also combine any  of
       the  above  events  into	 an  event alias.  An alias can also reference
       other aliases.  Aliases are stored in /etc/sec/event_aliases.

       For each event, the administrator can specify whether successful occur‐
       rences,	failed	occurrences or both are audited or used in a selection
       against a particular audit log.

       dxaudit presents audit events in specialized  Motif  widgets  that  are
       designed	 to  manage  audit  events.  Alias events are presented in one
       list and system calls, trusted events, and site events are presented in
       a  list called Base/Site Events.	 Once an event is selected, the audit‐
       ing of Successful or Failed occurrences can be set.  The lists  can  be
       managed in a global fashion such that by clicking one button the entire
       list is changed -- either by  selecting	or  unselecting	 the  list  of
       events  or  by  switching the settings of the Success or Failure toggle
       buttons.	 In addition, dxaudit provides interaction between aliases and
       base/site  events  according  to	 the following rules: When an alias is
       selected, all of the events  in	that  alias  are  also	selected.   By
       default,	 the  per-event Success/Failure setting will be to use what is
       contained in the alias file.  Whenever the Success/Failure  setting  is
       changed	on  an	alias,	all Success/Failure settings for the events in
       that alias will change to the same setting.  When a Base/Site event  is
       unselected  such	 that a Selected Alias is no longer a true representa‐
       tion, the alias will be unselected.

       dxaudit also allows the saving and restoring of event masks in files so
       that frequently used event masks can be easily recalled.

       By  default,  dxaudit  presents the list of security relevant events as
       presented in /etc/sec/audit_events on system installation. The adminis‐
       trator  can configure dxaudit to use the entire list of audit events by
       using the auditUseSecEvents X resource.	See the	 X  RESOURCES  section
       below for details.  If during execution, dxaudit encounters an unrecog‐
       nized event from querying some event mask, the user will	 be  asked  if
       dxaudit should use full event mode or security relevant event mode.

   Collection Functions
       The  Current  System  Mask is the system-wide event mask and style set‐
       tings currently in effect.  A system event mask can contain  all	 event
       types  except sub-events to site events.	 This screen allows the admin‐
       istrator to query and change the	 current  system  mask,	 and  auditing
       styles  (see  auditmask(8)  reference  page).   dxaudit also provides a
       screen via Edit->Object Selection/Deselection to access the  capability
       to select or deselect audit records regarding file activity before they
       are stored in the audit trail.

	      The Default System Mask is the value of the AUDITMASK_FLAG vari‐
	      able  as stored in the /etc/rc.config file.  This is essentially
	      the default value of the system mask each	 time  the  system  is
	      booted.	The  event  mask  and  audit styles can be queried and
	      saved from this screen. If dxaudit detects that an event mask is
	      exactly  represented  by a loaded/saved file on the system, then
	      it will ask the administrator if the default system mask	should
	      reference the file name in the AUDITMASK_FLAG variable or supply
	      the contents of the file in the  AUDITMASK_FLAG  variable.   The
	      former method provides a level of indirection so that the admin‐
	      istrator could maintain the default  mask	 by  editing  a	 file.
	      This  screen  presents a list of the current active processes on
	      the system.  The administrator can choose a process or  a	 group
	      of  processes  running as the same login user (same AUID), query
	      its current event mask and audit control flags, and change  them
	      as  necessary.  For active processes, the event mask cannot con‐
	      tain habitat events or site events; however, a global option  to
	      audit habitat events can be set.	Also, system call event audit‐
	      ing can be globally turned off.

   Reporting Functions
       This screen allows the  administrator  to  create,  modify,  or	delete
       selection files.	 Selection files contain parameters which indicate how
       audit records will be selected from the raw audit trail	during	report
       generation.   The  selection parameters include things like time inter‐
       val, audit events, user id.  Any audit record  matching	the  selection
       criteria will be displayed.  All types of audit events can be used in a
       selection file.	This screen allows the administrator to	 create,  mod‐
       ify,  or	 delete	 deselection  files.   A  deselection file consists of
       tuples.	The tuple is comprised of a host, audit ID, real  UID,	event,
       file pathname, and access mode.	A deselection file can be used to fur‐
       ther reduce audit records when generating reports.  It can be  used  in
       combination with a selection file.  Any audit record matching the dese‐
       lection criteria will be filtered out from  the	report	stream.	  This
       screen  allows  the administrator to view an audit report.  A selection
       file, a deselection file,  and an audit log can be selected to generate
       a  report.   Output options include generating a report to a file, to a
       series of files sorted by audit ID, to a window on the  screen,	or  if
       audit  is  currently  enabled,  to follow the current activity.	Report
       records can be in brief format or long format.  If in brief format, the
       administrator  can  double  click on the record and get a pop-up of the
       long format.

       This resource changes the list of events loaded	into  all  list	 boxes
       with  the Base/Site Events heading.  Setting the value to True will use
       only   security	 relevant   audit   events   (the   set	   found    in
       /etc/sec/audit_events).	 Setting  the value to False will make dxaudit
       use all events on the system. This includes all system calls,  non-sys‐
       tem events, etc.	 It will slightly impact performance on screen mapping
       of those screens containing the event list boxes.   It  is  recommended
       that  security  relevant	 events	 be  used.  The	 default value of this
       resource is true.  This resource changes	 the  display  of  the	Active
       Process	List from the Modify Active Process Mask screen.  Refer to the
       ps(1) reference page for additional information.	 This resource changes
       the  sorted order of the ps(1) output in the Modify Active Process Mask
       screen.	Valid options are:  for	 ps(1)	native	order  for  alphabetic
       ordering	 by user name. This is the default value.  This resource tells
       dxaudit how many 256K chunks of memory it can allocate  when  receiving
       audit  report  data  from  audit_tool.	When  the length of the report
       exceeds this amount of memory, the oldest 256K chunk of	data  is  dis‐
       carded  as long as the user is not viewing it at the moment.  This dis‐
       carded chunk cannot be accessed again unless the report is regenerated.
       The default setting for this resource is 20.

       System-wide  X Resource file.  Security relevant audit events Site spe‐
       cific audit events.  Audit event alias specification  file.   Directory
       containing  the	audit selection files.	Directory containing the audit
       deselection files.

       auditd(8), auditmask(8), audit_tool(8), audit_setup(8)


List of man pages available for DigitalUNIX

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
Vote for polarhome
Free Shell Accounts :: the biggest list on the net