Content-type: text/html
dxaudit - Motif Interface for the Audit Subsystem
/usr/tcb/bin/dxaudit
The dxaudit application is a Motif graphical user interface which can be used to administer the audit subsystem. Three major areas comprise the audit subsystem: Control, Collection, and Reporting. Currently, dxaudit supports Collection and Reporting only. See the auditd(8) reference page for details on administering the Control function.
In order to invoke
dxaudit,
you
must be the
root
user.
Audit events are comprised of the following types: System calls include all entry points into the UNIX kernel including habitat events which are denoted by the <habitat name>/<system call>, like `SystemV/open'. Trusted events are application-defined events which represent higher level activity. For example, login is a trusted event. To audit a user login at the system call level would produce many audit events, whereas to audit the login event would capture essentially the same information in a very concise way. Site events provide a mechanism for a site to extend the audit subsystem's list of audit events. Site events can be defined in /etc/sec/site_events. A site event can contain subevents which are finer-grained audit events within a site event.
In addition to these events, the administrator can also combine any of the above events into an event alias. An alias can also reference other aliases. Aliases are stored in /etc/sec/event_aliases.
For each event, the administrator can specify whether successful occurrences, failed occurrences or both are audited or used in a selection against a particular audit log.
dxaudit presents audit events in specialized Motif widgets that are designed to manage audit events. Alias events are presented in one list and system calls, trusted events, and site events are presented in a list called Base/Site Events. Once an event is selected, the auditing of Successful or Failed occurrences can be set. The lists can be managed in a global fashion such that by clicking one button the entire list is changed -- either by selecting or unselecting the list of events or by switching the settings of the Success or Failure toggle buttons. In addition, dxaudit provides interaction between aliases and base/site events according to the following rules: When an alias is selected, all of the events in that alias are also selected. By default, the per-event Success/Failure setting will be to use what is contained in the alias file. Whenever the Success/Failure setting is changed on an alias, all Success/Failure settings for the events in that alias will change to the same setting. When a Base/Site event is unselected such that a Selected Alias is no longer a true representation, the alias will be unselected.
dxaudit also allows the saving and restoring of event masks in files so that frequently used event masks can be easily recalled.
By default,
dxaudit
presents the list of
security relevant
events as presented in
/etc/sec/audit_events
on system installation. The administrator can configure
dxaudit
to use the entire list of audit events by using the
auditUseSecEvents
X resource. See the
X RESOURCES
section below for details. If during execution,
dxaudit
encounters an unrecognized event from querying some event
mask, the user will be asked if
dxaudit
should use full
event mode or security relevant event mode.
The Current System Mask is the system-wide event mask and style settings currently in effect. A system event mask can contain all event types except sub-events to site events. This screen allows the administrator to query and change the current system mask, and auditing styles (see auditmask(8) reference page). dxaudit also provides a screen via Edit->Object Selection/Deselection to access the capability to select or deselect audit records regarding file activity before they are stored in the audit trail.
This screen allows the administrator to create, modify, or
delete selection files. Selection files contain parameters which indicate
how audit records will be selected from the raw audit trail during report
generation. The selection parameters include things like time interval, audit
events, user id. Any audit record matching the selection criteria will be
displayed. All types of audit events can be used in a selection file.
This screen allows the administrator to create, modify, or
delete deselection files. A deselection file consists of tuples. The tuple
is comprised of a host, audit ID, real UID, event, file pathname, and access
mode. A deselection file can be used to further reduce audit records when
generating reports. It can be used in combination with a selection file.
Any audit record matching the deselection criteria will be filtered out from
the report stream.
This screen allows the administrator to view an audit report.
A selection file, a deselection file, and an audit log can be selected to
generate a report. Output options include generating a report to a file,
to a series of files sorted by audit ID, to a window on the screen, or if
audit is currently enabled, to follow the current activity. Report records
can be in brief format or long format. If in brief format, the administrator
can double click on the record and get a pop-up of the long format.
This resource changes the list of events loaded into all list
boxes with the
Base/Site Events
heading. Setting the value
to
True
will use only security relevant audit events (the
set found in
/etc/sec/audit_events). Setting the value
to
False
will make
dxaudit
use all events
on the system. This includes all system calls, non-system events, etc. It
will slightly impact performance on screen mapping of those screens containing
the event list boxes. It is recommended that security relevant events be
used. The default value of this resource is true.
This resource changes the display of the
Active Process
List
from the
Modify Active Process Mask
screen.
Refer to the
ps(1)
reference page for additional information.
This resource changes the sorted order of the
ps(1)
output in the
Modify Active Process Mask
screen. Valid options are:
for
ps(1)
native order
for alphabetic ordering by user name. This is the default
value.
This resource tells
dxaudit
how many 256K
chunks of memory it can allocate when receiving audit report data from
audit_tool. When the length of the report exceeds this amount of
memory, the oldest 256K chunk of data is discarded as long as the user is
not viewing it at the moment. This discarded chunk cannot be accessed again
unless the report is regenerated. The default setting for this resource is
20.
System-wide X Resource file.
Security relevant audit events
Site specific audit events.
Audit event alias specification file.
Directory containing the audit selection files.
Directory containing the audit deselection files.
auditd(8), auditmask(8), audit_tool(8), audit_setup(8)