audit - system audit trail startup and shutdown script
/etc/init.d/audit [ start | stop ]
The audit shell script is called during system startup from /etc/rc2 to
start the system audit trail daemon, satd(1M), and enable auditing of
predefined audit events (using sat_select(1M)). The script is called
during system shutdown from /etc/rc0 to kill the daemon gracefully and
Note that, as installed, auditing is off by default and must be enabled
as described in configuration flags, below. In addition, once auditing
has been enabled via chkconfig(1M), the system should be rebooted to
enable auditing from system startup. At a minimum, /etc/init.d/audit
start must be executed by root before any auditing actually takes place.
When called with the start argument, the audit script does the following
(provided that auditing has been enabled):
o Looks for any "emergency files" (see satd(1M)) and issues a warning if
it finds any.
o Ensures that satd and sat_select are executable.
o Starts the audit daemon, satd.
o Enables auditing of predefined audit events.
When called with the stop argument, the audit script gracefully
terminates the sat daemon and disables auditing of all events.
The audit subsystem is enabled if its configuration flag in the
/etc/config directory is in the on state. The configuration flag file
for auditing is /etc/config/audit. If a flag file is missing, the flag
is considered off. Use the chkconfig(1M) command to turn a flag on or
off. For example,
chkconfig audit on
enables auditing. When invoked without arguments, chkconfig prints the
state of all known flags.
There is a special flag, verbose. The verbose flag controls the printing
of the names of daemons as they are started.
Site-dependent options for satd and sat_select belong in options files in
/etc/config. The option file for satd is satd.options. The options file
for sat_select events is sat_select.options. The options files for
selecting subject user, group or label events are
sat_select.subject.user, sat_select.subject.group and
sat_select.subject.mac. The options files for selecting object user,
group or label events are sat_select.object.user,
sat_select.object.group and sat_select.object.mac. These files contain
options that their respective commands will be run with to override the
To add filters to the satd command line invoked by the audit shell
script, place the filter command lines into /etc/config in files with
names that begin with satd.filter. If any of these files are found, the
output of satd is piped to them in the order that they are found using
ls. For more information, see audit_files(5). See the document IRIX
Admin: Backup, Security, and Accounting and satd(1M) for details on valid
Note that if audit filters are used, it may be necessary for the audit
script to pause for several seconds to allow satd to completely
initialize the audit system before any events can be enabled. The
default delay in this case is 2 seconds. To override this delay, for
example in the case where a particular audit filter takes some additional
time to start up, place the delay time (in seconds) in the file
/etc/rc0.d/K40audit linked to /etc/init.d/audit
/etc/rc2.d/S30audit linked to /etc/init.d/audit
/etc/config configuration flags and options files
rc0(1M), rc2(1M), sat_echo(1M), sat_interpret(1M), sat_reduce(1M),
sat_select(1M), sat_summarize(1M), satconfig(1M), satd(1M),
IRIX Admin: Backup, Security, and Accounting.
PPPPaaaaggggeeee 2222 [ Back ]