Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX Reference > A

audsys(1M)

HP-UX 11i Version 3: February 2007
» 

Technical documentation

» Feedback
Content starts here

 » Table of Contents

 » Index

NAME

audsys — start/halt the auditing system; set/display auditing system status information

SYNOPSIS

audsys [-n|-f] [-N num] [-c file|directory -s cafs] [-x file|directory -z xafs]

DESCRIPTION

audsys allows the user to do the following operations: start or halt the auditing system; specify the auditing system "current" and "next" audit trails and their switch sizes; display auditing system status information; and, for regular mode, specify the number of active files that comprise an audit trail.

If the number of files specified is greater than or equal to one (regular mode), the audit trail will be present on the file system as a directory with multiple files in it.

If the number specified is zero (compatibility mode), the audit trail will be contained in a single file. Compatibility mode is solely supported for backward compatibility and will be obsoleted in any future releases after HP-UX 11i Version 3.

This command is restricted to privileged users.

The "current" audit trail is the file or directory to which the auditing system writes audit records. When the "current" trail grows to either its AuditFileSwitch (AFS) size or its FileSpaceSwitch (FSS) size (see audomon(1M)), the auditing system switches to write to the "next" audit trail.

The auditing system switches audit trails by setting the "current" trail designation to the "next" trail and setting the new "next" trail to NULL. If the "next" trail is not specified, the auditing system will create a new trail with the same base name but a different timestamp extension and begin recording to it.

The auditing system can also run an external command after a successful audit trail switch. See audomon(1M) for details.

On a single system, the "current" and "next" trails can reside anywhere on the same or different file systems. /var/.audit is the default location for audit trails.

When invoked without arguments, audsys displays the status of the auditing system. This status includes information describing whether auditing is on or off, the names of the "current" and "next" audit trails, and a table listing their switch sizes and the sizes of the file systems on which they are located, as well as the space available expressed as a percentage of the switch sizes and file system sizes.

Options

audsys recognizes the following options:

-c file|directory

Specify a "current" trail. The existing "current" trail, if any, will be replaced by the trail specified, and the auditing system will immediately switch to the new "current" trail.

If the number of audit files specified is greater than or equal to 1 (regular mode), a directory will be created with the "current" trail name and the audit trail files will be stored in this directory. The specified file or directory must be empty or nonexistent unless it is the "current" or "next" trail already in use by the auditing system.

-f

Turn off the auditing system. The -f and -n options are mutually exclusive. Other options specified with -f are ignored.

-n

Turn on the auditing system. The system uses existing "current" and "next" audit trails unless others are specified with the -c and -x options. If no "current" audit trail exists (for example, when the auditing system is first installed), it can be specified with the -c option.

-N num

Specify the number of active files that comprise an audit trail. The auditing system will use one or more writer threads to log data into these files. Each writer thread will write to one file. If the number is not specified, the previous setting will be used. If there is no previous setting, num will be set to 1.

If num is greater than or equal to 1 (regular mode), then the audit trail files spu[0..num-1] will be created in the directory specified with the -c option. If num is 0 (compatibility mode), then the audit trail will be a file with the name specified by the -c option.

Use this option along with the -n option to turn on auditing, or use this option by itself to change the number of active files when the auditing system is running in regular mode. The recommended value for num is approximately the number of processors on the system divided by two.

-s cafs

Specify cafs, the "current" trail's AuditFileSwitch (AFS) size (in kbytes).

-x file|directory

Specify the "next" audit trail. Any existing "next" trail is replaced by the trail specified. The specified trail must be empty or nonexistent unless it is the "current" or "next" trail already in use by the auditing system.

This option is supported solely for backward compatibility and will be obsoleted in any future releases after HP-UX 11i Version 3.

Without specifying the "next" audit trail, the auditing system will take the "current" audit trail's base name with a different timestamp extension as the "next" audit trail. The name of the "next" audit trail will be determined at the next switch point. See audomon(1M) for more details.

-z xafs

Specify xafs, the "next" trail's AuditFileSwitch (AFS) size (in kbytes).

If -c is specified without -x , only the "current" audit file is changed; the existing "next" audit file remains.

If -x is specified without -c, only the "next" audit trail is changed; the existing "current" audit trail remains.

The -c option can be used to manually switch from the "current" to the "next" trail by specifying the "next" trail as the new "current" trail. In this case, the trail specified becomes the new "current" trail and the "next" trail is set to NULL.

In instances where no "next" trail is desired, the -x option can be used to set the "next" trail to NULL by specifying the existing "current" trail as the new "next" trail. In this case, the auditing system will create a new trail with the "current" trail's base name but a different timestamp extension as the "next" trail.

The user must be careful to select audit trails that reside on file systems large enough to accommodate the AuditFileSwitch (AFS) desired.

audsys returns a non-zero status and no action is performed if any of the following situations occur:

  • The AuditFileSwitch (AFS) size specified for either audit trail exceeds the space available on the file system where the trail resides.

  • The AFS size specified for either audit trail is less than the trail's current size.

  • The audit trail resides on a file system with no remaining user space (exceeds minfree , see the " -m option in tunefs(1M)).

EXAMPLES

Example 1:

Turn on the auditing system and start recording data to /var/.audit/my_trail using 2 writer threads. Also set the AuditFileSwitch (AFS) size to 1000 kbytes.

# audsys -n -N 2 -c /var/.audit/my_trail -s 1000

With AuditFileSwitch (AFS) size set to 1000 kbytes, The auditing system (See also audomon(1M)) is going to monitor the growth of /var/.audit/my_trail in size. When the size has reached approximately 1000 kbytes, the auditing system will try to switch recording data to:

/var/.audit/my_trail.yyyymmddHHMM

where yyyymmddHHMM are replaced by the time when the switch has happened.

Example 2:

Turn off the auditing system.

# audsys -f

This will cause any buffered data to be written out to the current audit trail. And the auditing system will stop recording any data after that.

Example 3:

Turn on the auditing system in compatibility mode.

# audsys -n -N 0 -c /var/.audit/my_trail -s 1000

This is the same as Example 1 except that /var/.audit/my_trail will be present on the file system as a regular file instead of a directory.

WARNINGS

Compatibility mode and the -x option are solely supported for backward compatibility and will be obsoleted in any future releases after HP-UX 11i Version 3.

All modifications made to the audit system are lost upon reboot. To make the changes permanent, set AUDITING, PRI_AUDFILE, PRI_SWITCH, SEC_AUDFILE, SEC_SWITCH, and NTRHEADS in /etc/rc.config.d/auditing.

A user process will be blocked in the kernel if all of the following events occur:

  • The file system containing the current audit trail is full.

  • If the "next" audit trail is specified, the file system containing this audit trail is full.

  • The user process makes an auditable system call or generates an auditable event.

A user process will also be blocked in the kernal if both of these events occur:

  • The pre-allocated kernel audit data buffer is full.

  • The user process makes an auditable system call or generates an auditable event.

In order to recover from the resulting deadlock, it will be necessary to kill the session leader of the console so that the administrator can login. For this reason sensitive applications must not be run as session leaders on the console.

AUTHOR

audsys was developed by HP.

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1983-2007 Hewlett-Packard Development Company, L.P.