*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->Tru64 Unix man pages -> dxaudit (8X)              



NAME    [Toc]    [Back]

       dxaudit - Motif Interface for the Audit Subsystem

SYNOPSIS    [Toc]    [Back]


DESCRIPTION    [Toc]    [Back]

       The  dxaudit  application is a Motif graphical user interface
 which can be used to administer the audit  subsystem.
       Three  major  areas comprise the audit subsystem: Control,
       Collection, and Reporting.   Currently,  dxaudit  supports
       Collection  and  Reporting only.  See the auditd(8) reference
 page for details on administering the  Control  function.

       In order to invoke dxaudit, you must be the root user.

   Audit Event Overview    [Toc]    [Back]
       Audit  events are comprised of the following types: System
       calls include  all  entry  points  into  the  UNIX  kernel
       including habitat events which are denoted by the <habitat
       name>/<system call>, like `SystemV/open'.  Trusted  events
       are  application-defined  events  which  represent  higher
       level activity.  For example, login is  a  trusted  event.
       To  audit a user login at the system call level would produce
 many audit events, whereas to audit the  login  event
       would  capture  essentially the same information in a very
       concise way.  Site events provide a mechanism for  a  site
       to  extend  the  audit  subsystem's  list of audit events.
       Site events can be  defined  in  /etc/sec/site_events.   A
       site  event  can contain subevents which are finer-grained
       audit events within a site event.

       In addition to these events, the  administrator  can  also
       combine  any  of the above events into an event alias.  An
       alias can  also  reference  other  aliases.   Aliases  are
       stored in /etc/sec/event_aliases.

       For each event, the administrator can specify whether successful
  occurrences,  failed  occurrences  or  both   are
       audited  or used in a selection against a particular audit

       dxaudit presents audit events in specialized Motif widgets
       that  are  designed  to manage audit events.  Alias events
       are presented  in  one  list  and  system  calls,  trusted
       events,  and  site  events  are presented in a list called
       Base/Site Events.  Once an event is selected, the auditing
       of Successful or Failed occurrences can be set.  The lists
       can be managed in a global fashion such that  by  clicking
       one button the entire list is changed -- either by selecting
 or unselecting the list of events or by switching  the
       settings  of  the  Success  or Failure toggle buttons.  In
       addition, dxaudit provides interaction between aliases and
       base/site events according to the following rules: When an
       alias is selected, all of the events  in  that  alias  are
       also  selected.  By default, the per-event Success/Failure
       setting will be to use what  is  contained  in  the  alias
       file.   Whenever the Success/Failure setting is changed on
       an alias, all Success/Failure settings for the  events  in
       that  alias  will  change  to  the  same  setting.  When a
       Base/Site event is unselected such that a  Selected  Alias
       is no longer a true representation, the alias will be unselected.

       dxaudit also allows the  saving  and  restoring  of  event
       masks  in files so that frequently used event masks can be
       easily recalled.

       By default, dxaudit presents the list of security relevant
       events  as  presented  in  /etc/sec/audit_events on system
       installation. The administrator can configure  dxaudit  to
       use  the entire list of audit events by using the auditUseSecEvents
 X resource.  See the X RESOURCES section  below
       for  details.   If during execution, dxaudit encounters an
       unrecognized event from querying some event mask, the user
       will  be  asked  if  dxaudit should use full event mode or
       security relevant event mode.

   Collection Functions    [Toc]    [Back]
       The Current System Mask is the system-wide event mask  and
       style  settings  currently in effect.  A system event mask
       can contain all event  types  except  sub-events  to  site
       events.  This screen allows the administrator to query and
       change the current system mask, and auditing  styles  (see
       auditmask(8)  reference  page).   dxaudit  also provides a
       screen via Edit->Object  Selection/Deselection  to  access
       the capability to select or deselect audit records regarding
 file activity before they  are  stored  in  the  audit

              The  Default System Mask is the value of the AUDITMASK_FLAG
 variable as stored in the  /etc/rc.config
              file.  This is essentially the default value of the
              system mask each time the system  is  booted.   The
              event  mask  and  audit  styles  can be queried and
              saved from this screen. If dxaudit detects that  an
              event mask is exactly represented by a loaded/saved
              file on the system, then it will ask  the  administrator
  if the default system mask should reference
              the file name in  the  AUDITMASK_FLAG  variable  or
              supply  the  contents  of  the  file  in the AUDITMASK_FLAG
 variable.  The former method  provides  a
              level  of  indirection  so  that  the administrator
              could maintain the default mask by editing a  file.
              This  screen  presents a list of the current active
              processes on the  system.   The  administrator  can
              choose a process or a group of processes running as
              the same login user (same AUID), query its  current
              event mask and audit control flags, and change them
              as necessary.  For active processes, the event mask
              cannot  contain habitat events or site events; however,
 a global option to audit habitat  events  can
              be  set.   Also,  system call event auditing can be
              globally turned off.

   Reporting Functions    [Toc]    [Back]
       This screen allows the administrator to create, modify, or
       delete  selection  files.  Selection files contain parameters
 which indicate how audit  records  will  be  selected
       from  the  raw  audit trail during report generation.  The
       selection parameters include things  like  time  interval,
       audit  events,  user  id.   Any  audit record matching the
       selection criteria will be displayed.  All types of  audit
       events  can  be  used  in  a  selection file.  This screen
       allows the administrator to create, modify, or delete deselection
  files.   A  deselection file consists of tuples.
       The tuple is comprised of a  host,  audit  ID,  real  UID,
       event, file pathname, and access mode.  A deselection file
       can be used to further reduce audit records when  generating
  reports.  It can be used in combination with a selection
 file.  Any audit record matching the deselection criteria
  will  be filtered out from the report stream.  This
       screen allows the administrator to view an  audit  report.
       A  selection  file,  a deselection file,  and an audit log
       can be selected to  generate  a  report.   Output  options
       include  generating  a  report  to  a file, to a series of
       files sorted by audit ID, to a window on the screen, or if
       audit  is  currently enabled, to follow the current activity.
  Report records can be in brief format or  long  format.
   If  in  brief  format, the administrator can double
       click on the record and get a pop-up of the long format.

X RESOURCES    [Toc]    [Back]

       This resource changes the list of events loaded  into  all
       list boxes with the Base/Site Events heading.  Setting the
       value to True will use only security relevant audit events
       (the  set  found  in  /etc/sec/audit_events).  Setting the
       value to False will make dxaudit use  all  events  on  the
       system. This includes all system calls, non-system events,
       etc.  It will slightly impact performance on  screen  mapping
 of those screens containing the event list boxes.  It
       is recommended that security relevant events be used.  The
       default  value  of  this  resource is true.  This resource
       changes the display of the Active Process  List  from  the
       Modify  Active  Process  Mask  screen.  Refer to the ps(1)
       reference page for additional information.  This  resource
       changes the sorted order of the ps(1) output in the Modify
       Active Process Mask screen.  Valid options are: for  ps(1)
       native order for alphabetic ordering by user name. This is
       the default value.  This resource tells dxaudit  how  many
       256K chunks of memory it can allocate when receiving audit
       report data from  audit_tool.   When  the  length  of  the
       report  exceeds  this  amount  of  memory, the oldest 256K
       chunk of data is discarded as long  as  the  user  is  not
       viewing  it at the moment.  This discarded chunk cannot be
       accessed again  unless  the  report  is  regenerated.  The
       default setting for this resource is 20.

FILES    [Toc]    [Back]

       System-wide  X  Resource  file.   Security  relevant audit
       events Site specific  audit  events.   Audit  event  alias
       specification file.  Directory containing the audit selection
 files.  Directory containing  the  audit  deselection

SEE ALSO    [Toc]    [Back]

       auditd(8), auditmask(8), audit_tool(8), audit_setup(8)

[ Back ]
 Similar pages
Name OS Title
audit_setup Tru64 Audit subsystem configuration graphical interface (Enhanced Security)
auditconfig Tru64 Audit subsystem configuration graphical interface (Enhanced Security)
audit Tru64 audit log interface
yp_all NetBSD Interface to the YP subsystem
yp_bind NetBSD Interface to the YP subsystem
yp_get_default_domain NetBSD Interface to the YP subsystem
yp_master NetBSD Interface to the YP subsystem
yp_match NetBSD Interface to the YP subsystem
yp_next NetBSD Interface to the YP subsystem
yp_order NetBSD Interface to the YP subsystem
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service