Content-type: text/html
audit_setup - Audit setup script
The audit_setup script is used interactively to establish the audit environment on your system. The audit_setup script is an interactive, menu-driven utility.
The audit_setup script does the following: Establishes startup flags for the audit daemon. The following options to auditd can be set using audit_setup: Destination of audit data Destination of auditd messages Action to take on an overflow condition Enable accepting audit data from remote audit daemons Establishes startup flags for the auditmask. The auditmask establishes which events get audited. This can be specified in one of two ways: Having the auditmask read a list of events from a file Specifying a list of events on the command line
The audit_setup script can also be used to modify your system configuration file.
You must be root to run audit_setup.
The following is a sample audit_setup session.
********************************************************************
Audit Subsystem Setup Script
********************************************************************
The following steps will be taken to set up audit:
1) establish startup flags for the audit daemon,
2) establish startup flags for the auditmask,
3) create the /dev/audit device (if needed),
4) configure a new kernel (if needed).
Do you wish to have security auditing enabled as part of
system initialization (answer 'n' to disable) ([y]/n)? y
----------------------------
Audit Daemon Startup Flags
----------------------------
Some of the options to 'auditd' control:
1) destination of audit data,
2) destination of auditd messages,
3) action to take on an overflow condition,
4) enable accepting audit data from remote auditd's.
Destination of audit data (file|host:) [/var/audit/auditlog]? <Return>
Directory /var/audit/ does not exist; create it now (y/[n])? y
Destination of auditd messages [/var/audit/auditd_cons]? <Return>
Action to take on an overflow condition may be one of:
1) change audit data location according to '/etc/sec/auditd_loc'
2) suspend auditing until space becomes available
3) overwrite the current auditlog
4) terminate auditing
5) halt the system
Action (1-5) [1]? <Return>
Don't forget to list in '/etc/sec/auditd_loc' the alternate
directories in which to store audit data.
Do you wish to edit /etc/sec/auditd_loc now (y/[n])? <Return>
Accept data from remote auditd's (y/[n])? y
Don't forget to place names of remote hosts from which data
may be accepted into '/etc/sec/auditd_clients'.
Do you wish to edit /etc/sec/auditd_clients now (y/[n])? y
?auditd_clients
a
alpha1
alpha1.sales.dec.com
.
1,$n
1 alpha1
2 alpha1.sales.dec.com
w
q
Further options are available for advanced users of the audit
system (please refer to the auditd manpage). If you wish to
specify further options you may do so now (<cr> for none): <Return>
Startup flags for 'auditd' set to:
-l /var/audit/auditlog -c y -o changeloc -r -s
Is this correct ([y]/n)? y
-------------------------
Auditmask Startup Flags
-------------------------
The auditmask establishes which events get audited. This can be
specified by:
1) having the auditmask read a list of events from a file,
-or-
2) specifying a list of events on the command line.
Events can refer to syscalls, trusted events, site-defined events,
or alias names.
The file '/etc/sec/audit_events' contains a list of all auditable
system calls and trusted (application) events. You may either
modify this file or use it as a template.
The file '/etc/sec/event_aliases' contains a set of aliases by which
logically related groupings of events may be constructed. You may
modify this set of aliases to suit your site's requirements.
Enter filename with event list or * indicating events will be listed
on the command line (<Return> for no events): /etc/sec/audit_events
Do you wish to edit /etc/sec/audit_events now (y/[n])? <Return>
The auditmask also sets various style flags such as:
1) 'exec_argp' - audit argument vector to exec system calls
2) 'exec_envp' - audit environment vector to exec system calls
3) 'login_uname' - audit recorded username in failed login events
Enable exec_argp ([y]/n)? <Return>
Enable exec_envp (y/[n])? <Return>
Enable login_uname ([y]/n)? <Return>
Startup flags for 'auditmask' set to:
-s exec_argp -s login_uname < /etc/sec/audit_events
Is this correct ([y]/n)? <Return>
----------------------
System Configuration
----------------------
UNWIRE is already configured for security auditing (/sys/conf/UNWIRE).
Would you like to start audit now ([y]/n)? <Return>
'/usr/sbin/auditd' started.
'/usr/sbin/auditmask' set.
***** AUDIT SETUP COMPLETE *****
Commands: auditmask(8), auditd(8)
Security delim off