Content-type: text/html Man page of audit_setup

audit_setup

Section: Maintenance Commands (8)
Index Return to Main Contents
 

NAME

audit_setup - Audit setup script  

SYNOPSIS

/usr/sbin/audit_setup  

DESCRIPTION

The audit_setup script is used interactively to establish the audit environment on your system. The audit_setup script is an interactive, menu-driven utility.

The audit_setup script does the following: Establishes startup flags for the audit daemon. The following options to auditd can be set using audit_setup: Destination of audit data Destination of auditd messages Action to take on an overflow condition Enable accepting audit data from remote audit daemons Establishes startup flags for the auditmask. The auditmask establishes which events get audited. This can be specified in one of two ways: Having the auditmask read a list of events from a file Specifying a list of events on the command line

Events can refer to system calls, trusted events, site-defined events, or alias names. Creates the /dev/audit device (if needed). Configures a new kernel (if needed).

The audit_setup script can also be used to modify your system configuration file.

You must be root to run audit_setup.  

EXAMPLE

The following is a sample audit_setup session.

********************************************************************

               Audit Subsystem Setup Script

********************************************************************


  The following steps will be taken to set up audit:
    1) establish startup flags for the audit daemon,
    2) establish startup flags for the auditmask,
    3) create the /dev/audit device (if needed),
    4) configure a new kernel (if needed).


  Do you wish to have security auditing enabled as part of
  system initialization (answer 'n' to disable) ([y]/n)?  y


    ----------------------------
     Audit Daemon Startup Flags
    ----------------------------


  Some of the options to 'auditd' control:
    1) destination of audit data,
    2) destination of auditd messages,
    3) action to take on an overflow condition,
    4) enable accepting audit data from remote auditd's.


  Destination of audit data (file|host:) [/var/audit/auditlog]?  <Return>
    Directory /var/audit/ does not exist; create it now (y/[n])?  y


  Destination of auditd messages [/var/audit/auditd_cons]?  <Return>


  Action to take on an overflow condition may be one of:
    1)  change audit data location according to '/etc/sec/auditd_loc'
    2)  suspend auditing until space becomes available
    3)  overwrite the current auditlog
    4)  terminate auditing
    5)  halt the system


  Action (1-5) [1]?  <Return>


    Don't forget to list in '/etc/sec/auditd_loc' the alternate
    directories in which to store audit data.


    Do you wish to edit /etc/sec/auditd_loc now (y/[n])?  <Return>


  Accept data from remote auditd's (y/[n])?  y


    Don't forget to place names of remote hosts from which data
    may be accepted into '/etc/sec/auditd_clients'.


    Do you wish to edit /etc/sec/auditd_clients now (y/[n])?  y

?auditd_clients a alpha1 alpha1.sales.dec.com . 1,$n 1               alpha1
2               alpha1.sales.dec.com
w q


  Further options are available for advanced users of the audit
  system (please refer to the auditd manpage).  If you wish to
  specify further options you may do so now (<cr> for none):  <Return>


  Startup flags for 'auditd' set to:
    -l /var/audit/auditlog -c y -o changeloc -r -s


  Is this correct ([y]/n)?  y


    -------------------------
     Auditmask Startup Flags
    -------------------------


  The auditmask establishes which events get audited.  This can be
  specified by:


    1) having the auditmask read a list of events from a file,
      -or-
    2) specifying a list of events on the command line.


  Events can refer to syscalls, trusted events, site-defined events,
  or alias names.


  The file '/etc/sec/audit_events' contains a list of all auditable
  system calls and trusted (application) events.  You may either
  modify this file or use it as a template.


  The file '/etc/sec/event_aliases' contains a set of aliases by which
  logically related groupings of events may be constructed.  You may
  modify this set of aliases to suit your site's requirements.


  Enter filename with event list or * indicating events will be listed
  on the command line (<Return> for no events):  /etc/sec/audit_events


  Do you wish to edit /etc/sec/audit_events now (y/[n])?  <Return>


  The auditmask also sets various style flags such as:
    1) 'exec_argp'   - audit argument vector to exec system calls
    2) 'exec_envp'   - audit environment vector to exec system calls
    3) 'login_uname' - audit recorded username in failed login events


  Enable exec_argp ([y]/n)?  <Return>
  Enable exec_envp (y/[n])?  <Return>
  Enable login_uname ([y]/n)?  <Return>


  Startup flags for 'auditmask' set to:
     -s exec_argp -s login_uname < /etc/sec/audit_events


  Is this correct ([y]/n)?  <Return>


    ----------------------
     System Configuration
    ----------------------


  UNWIRE is already configured for security auditing (/sys/conf/UNWIRE).


  Would you like to start audit now ([y]/n)?  <Return>


    '/usr/sbin/auditd' started.
    '/usr/sbin/auditmask' set.


  ***** AUDIT SETUP COMPLETE *****  

FILES

A set of aliases by which logically related groupings of events can be constructed. You can modify this set of aliases to suit your site's requirements. A list of hosts from which audit data can be accepted. A list of alternative locations in which auditd stores audit data when an overflow condition is reached. A list of all auditable system calls and trusted (application) events. You can modify this file or use it as a template.  

RELATED INFORMATION

Commands: auditmask(8), auditd(8)

Security delim off


 

Index

NAME
SYNOPSIS
DESCRIPTION
EXAMPLE
FILES
RELATED INFORMATION

This document was created by man2html, using the manual pages.
Time: 02:40:33 GMT, October 02, 2010