dxaudit(8X)dxaudit(8X)NAMEdxaudit - Motif Interface for the Audit Subsystem
SYNOPSIS
/usr/tcb/bin/dxaudit
DESCRIPTION
The dxaudit application is a Motif graphical user interface which can
be used to administer the audit subsystem. Three major areas comprise
the audit subsystem: Control, Collection, and Reporting. Currently,
dxaudit supports Collection and Reporting only. See the auditd(8) ref‐
erence page for details on administering the Control function.
In order to invoke dxaudit, you must be the root user.
Audit Event Overview
Audit events are comprised of the following types: System calls include
all entry points into the UNIX kernel including habitat events which
are denoted by the <habitat name>/<system call>, like `SystemV/open'.
Trusted events are application-defined events which represent higher
level activity. For example, login is a trusted event. To audit a
user login at the system call level would produce many audit events,
whereas to audit the login event would capture essentially the same
information in a very concise way. Site events provide a mechanism for
a site to extend the audit subsystem's list of audit events. Site
events can be defined in /etc/sec/site_events. A site event can con‐
tain subevents which are finer-grained audit events within a site
event.
In addition to these events, the administrator can also combine any of
the above events into an event alias. An alias can also reference
other aliases. Aliases are stored in /etc/sec/event_aliases.
For each event, the administrator can specify whether successful occur‐
rences, failed occurrences or both are audited or used in a selection
against a particular audit log.
dxaudit presents audit events in specialized Motif widgets that are
designed to manage audit events. Alias events are presented in one
list and system calls, trusted events, and site events are presented in
a list called Base/Site Events. Once an event is selected, the audit‐
ing of Successful or Failed occurrences can be set. The lists can be
managed in a global fashion such that by clicking one button the entire
list is changed -- either by selecting or unselecting the list of
events or by switching the settings of the Success or Failure toggle
buttons. In addition, dxaudit provides interaction between aliases and
base/site events according to the following rules: When an alias is
selected, all of the events in that alias are also selected. By
default, the per-event Success/Failure setting will be to use what is
contained in the alias file. Whenever the Success/Failure setting is
changed on an alias, all Success/Failure settings for the events in
that alias will change to the same setting. When a Base/Site event is
unselected such that a Selected Alias is no longer a true representa‐
tion, the alias will be unselected.
dxaudit also allows the saving and restoring of event masks in files so
that frequently used event masks can be easily recalled.
By default, dxaudit presents the list of security relevant events as
presented in /etc/sec/audit_events on system installation. The adminis‐
trator can configure dxaudit to use the entire list of audit events by
using the auditUseSecEvents X resource. See the X RESOURCES section
below for details. If during execution, dxaudit encounters an unrecog‐
nized event from querying some event mask, the user will be asked if
dxaudit should use full event mode or security relevant event mode.
Collection Functions
The Current System Mask is the system-wide event mask and style set‐
tings currently in effect. A system event mask can contain all event
types except sub-events to site events. This screen allows the admin‐
istrator to query and change the current system mask, and auditing
styles (see auditmask(8) reference page). dxaudit also provides a
screen via Edit->Object Selection/Deselection to access the capability
to select or deselect audit records regarding file activity before they
are stored in the audit trail.
The Default System Mask is the value of the AUDITMASK_FLAG vari‐
able as stored in the /etc/rc.config file. This is essentially
the default value of the system mask each time the system is
booted. The event mask and audit styles can be queried and
saved from this screen. If dxaudit detects that an event mask is
exactly represented by a loaded/saved file on the system, then
it will ask the administrator if the default system mask should
reference the file name in the AUDITMASK_FLAG variable or supply
the contents of the file in the AUDITMASK_FLAG variable. The
former method provides a level of indirection so that the admin‐
istrator could maintain the default mask by editing a file.
This screen presents a list of the current active processes on
the system. The administrator can choose a process or a group
of processes running as the same login user (same AUID), query
its current event mask and audit control flags, and change them
as necessary. For active processes, the event mask cannot con‐
tain habitat events or site events; however, a global option to
audit habitat events can be set. Also, system call event audit‐
ing can be globally turned off.
Reporting Functions
This screen allows the administrator to create, modify, or delete
selection files. Selection files contain parameters which indicate how
audit records will be selected from the raw audit trail during report
generation. The selection parameters include things like time inter‐
val, audit events, user id. Any audit record matching the selection
criteria will be displayed. All types of audit events can be used in a
selection file. This screen allows the administrator to create, mod‐
ify, or delete deselection files. A deselection file consists of
tuples. The tuple is comprised of a host, audit ID, real UID, event,
file pathname, and access mode. A deselection file can be used to fur‐
ther reduce audit records when generating reports. It can be used in
combination with a selection file. Any audit record matching the dese‐
lection criteria will be filtered out from the report stream. This
screen allows the administrator to view an audit report. A selection
file, a deselection file, and an audit log can be selected to generate
a report. Output options include generating a report to a file, to a
series of files sorted by audit ID, to a window on the screen, or if
audit is currently enabled, to follow the current activity. Report
records can be in brief format or long format. If in brief format, the
administrator can double click on the record and get a pop-up of the
long format.
X RESOURCES
This resource changes the list of events loaded into all list boxes
with the Base/Site Events heading. Setting the value to True will use
only security relevant audit events (the set found in
/etc/sec/audit_events). Setting the value to False will make dxaudit
use all events on the system. This includes all system calls, non-sys‐
tem events, etc. It will slightly impact performance on screen mapping
of those screens containing the event list boxes. It is recommended
that security relevant events be used. The default value of this
resource is true. This resource changes the display of the Active
Process List from the Modify Active Process Mask screen. Refer to the
ps(1) reference page for additional information. This resource changes
the sorted order of the ps(1) output in the Modify Active Process Mask
screen. Valid options are: for ps(1) native order for alphabetic
ordering by user name. This is the default value. This resource tells
dxaudit how many 256K chunks of memory it can allocate when receiving
audit report data from audit_tool. When the length of the report
exceeds this amount of memory, the oldest 256K chunk of data is dis‐
carded as long as the user is not viewing it at the moment. This dis‐
carded chunk cannot be accessed again unless the report is regenerated.
The default setting for this resource is 20.
FILES
System-wide X Resource file. Security relevant audit events Site spe‐
cific audit events. Audit event alias specification file. Directory
containing the audit selection files. Directory containing the audit
deselection files.
SEE ALSOauditd(8), auditmask(8), audit_tool(8), audit_setup(8)dxaudit(8X)
