|
|
HP-UX Reference > Aaudsys(1M)HP-UX 11i Version 2: December 2007 Update |
|
NAMEaudsys — start or halt the auditing system and set or display audit file information DESCRIPTIONaudsys allows the user to start or halt the auditing system, to specify the auditing system "current" and "next" audit files (and their switch sizes), or to display auditing system status information. This command is restricted to super-users. The "current" audit file is the file to which the auditing system writes audit records. When the "current" file grows to either its Audit File Switch (AFS) size or its File Space Switch (FSS) size (see audomon(1M)), the auditing system switches to write to the "next" audit file. The auditing system switches audit files by setting the "current" file designation to the "next" file and setting the new "next" file to NULL. The "current" and "next" files can reside on different file systems. When invoked without arguments, audsys displays the status of the auditing system. This status includes information describing whether auditing is on or off, the names of the "current" and "next" audit files, and a table listing their switch sizes and the sizes of file systems on which they are located, as well as the space available expressed as a percentage of the switch sizes and file system sizes. Optionsaudsys recognizes the following options:
If -c but not -x is specified, only the "current" audit file is changed; the existing "next" audit file remains. If -x but not -c is specified, only the "next" audit file is changed; the existing "current" audit file remains. The -c option can be used to manually switch from the "current" to the "next" file by specifying the "next" file as the new "current" file. In this instance, the file specified becomes the new "current" file and the "next" file is set to NULL. In instances where no next file is desired, the -x option can be used to set the "next" file to NULL by specifying the existing "current" file as the new "next" file. The user should take care to select audit files that reside on file systems large enough to accommodate the Audit File Switch (AFS) desired. audsys returns a non-zero status and no action is performed, if any of the following situations would occur:
WARNINGSAll modifications made to the audit system are lost upon reboot. To make the changes permanent, set AUDITING, PRI_AUDFILE, PRI_SWITCH, SEC_AUDFILE, and SEC_SWITCH in /etc/rc.config.d/auditing. A user process will be blocked in the kernel if all of the following events occurs:
To recover from the resulting deadlock, the session leader of the console is killed so that the the administrator can login. Hence sensitive applications should not be run as session leaders on the console. |
|