HPlogo HP-UX Reference > A

audsys(1M)

HP-UX 11i Version 2: December 2007 Update
» 

Technical documentation

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

NAME

audsys — start or halt the auditing system and set or display audit file information

SYNOPSIS

audsys [-nf] [-c file -s cafs] [-x file -z xafs]

DESCRIPTION

audsys allows the user to start or halt the auditing system, to specify the auditing system "current" and "next" audit files (and their switch sizes), or to display auditing system status information. This command is restricted to super-users.

The "current" audit file is the file to which the auditing system writes audit records. When the "current" file grows to either its Audit File Switch (AFS) size or its File Space Switch (FSS) size (see audomon(1M)), the auditing system switches to write to the "next" audit file. The auditing system switches audit files by setting the "current" file designation to the "next" file and setting the new "next" file to NULL. The "current" and "next" files can reside on different file systems.

When invoked without arguments, audsys displays the status of the auditing system. This status includes information describing whether auditing is on or off, the names of the "current" and "next" audit files, and a table listing their switch sizes and the sizes of file systems on which they are located, as well as the space available expressed as a percentage of the switch sizes and file system sizes.

Options

audsys recognizes the following options:

-n

Turn on the auditing system. The system uses existing "current" and "next" audit files unless others are specified with the -c and -x options. If no "current" audit file exists (such as when the auditing system is first installed), specify it by using the -c option.

-f

Turn off the auditing system. The -f and -n options are mutually exclusive. Other options specified with -f are ignored.

-c file

Specify a "current" file. Any existing "current" file is replaced with the file specified; the auditing system immediately switches to write to the new "current" file. The specified file must be empty or nonexistent, unless it is the "current" or "next" file already in use by the auditing system.

-s cafs

Specify cafs, the "current" audit file switch size (in kbytes).

-x file

Specify the "next" audit file. Any existing "next" file is replaced with the file specified. The specified file must be empty or nonexistent, unless it is the "current" or "next" file already in use by the auditing system.

-z xafs

Specify xafs, the "next" audit file switch size (in kbytes).

If -c but not -x is specified, only the "current" audit file is changed; the existing "next" audit file remains. If -x but not -c is specified, only the "next" audit file is changed; the existing "current" audit file remains.

The -c option can be used to manually switch from the "current" to the "next" file by specifying the "next" file as the new "current" file. In this instance, the file specified becomes the new "current" file and the "next" file is set to NULL.

In instances where no next file is desired, the -x option can be used to set the "next" file to NULL by specifying the existing "current" file as the new "next" file.

The user should take care to select audit files that reside on file systems large enough to accommodate the Audit File Switch (AFS) desired. audsys returns a non-zero status and no action is performed, if any of the following situations would occur:

  • The Audit File Switch size (AFS) specified for either audit file exceeds the space available on the file system where the file resides.

  • The AFS size specified for either audit file is less than the file's current size.

  • Either audit file resides on a file system with no remaining user space (exceeds minfree, see tunefs(1M)).

WARNINGS

All modifications made to the audit system are lost upon reboot. To make the changes permanent, set AUDITING, PRI_AUDFILE, PRI_SWITCH, SEC_AUDFILE, and SEC_SWITCH in /etc/rc.config.d/auditing.

A user process will be blocked in the kernel if all of the following events occurs:

  • the file system containing current audit file is full,

  • there is no next audit file or the next audit file is removed, and

  • the user process makes an auditable system call or generates an auditable event.

To recover from the resulting deadlock, the session leader of the console is killed so that the the administrator can login. Hence sensitive applications should not be run as session leaders on the console.

AUTHOR

audsys was developed by HP.

FILES

/.secure/etc/audnames

File maintained by audsys containing the "current" and "next" audit file names and their switch sizes.

SEE ALSO

audit(5), audomon(1M), audctl(2), audwrite(2), audit(4), setsid(2).



audomon
  		 


audusr