dxaudit - Motif Interface for the Audit Subsystem
/usr/tcb/bin/dxaudit
The dxaudit application is a Motif graphical user interface
which can be used to administer the audit subsystem.
Three major areas comprise the audit subsystem: Control,
Collection, and Reporting. Currently, dxaudit supports
Collection and Reporting only. See the auditd(8) reference
page for details on administering the Control function.
In order to invoke dxaudit, you must be the root user.
Audit Event Overview [Toc] [Back]
Audit events are comprised of the following types: System
calls include all entry points into the UNIX kernel
including habitat events which are denoted by the <habitat
name>/<system call>, like `SystemV/open'. Trusted events
are application-defined events which represent higher
level activity. For example, login is a trusted event.
To audit a user login at the system call level would produce
many audit events, whereas to audit the login event
would capture essentially the same information in a very
concise way. Site events provide a mechanism for a site
to extend the audit subsystem's list of audit events.
Site events can be defined in /etc/sec/site_events. A
site event can contain subevents which are finer-grained
audit events within a site event.
In addition to these events, the administrator can also
combine any of the above events into an event alias. An
alias can also reference other aliases. Aliases are
stored in /etc/sec/event_aliases.
For each event, the administrator can specify whether successful
occurrences, failed occurrences or both are
audited or used in a selection against a particular audit
log.
dxaudit presents audit events in specialized Motif widgets
that are designed to manage audit events. Alias events
are presented in one list and system calls, trusted
events, and site events are presented in a list called
Base/Site Events. Once an event is selected, the auditing
of Successful or Failed occurrences can be set. The lists
can be managed in a global fashion such that by clicking
one button the entire list is changed -- either by selecting
or unselecting the list of events or by switching the
settings of the Success or Failure toggle buttons. In
addition, dxaudit provides interaction between aliases and
base/site events according to the following rules: When an
alias is selected, all of the events in that alias are
also selected. By default, the per-event Success/Failure
setting will be to use what is contained in the alias
file. Whenever the Success/Failure setting is changed on
an alias, all Success/Failure settings for the events in
that alias will change to the same setting. When a
Base/Site event is unselected such that a Selected Alias
is no longer a true representation, the alias will be unselected.
dxaudit also allows the saving and restoring of event
masks in files so that frequently used event masks can be
easily recalled.
By default, dxaudit presents the list of security relevant
events as presented in /etc/sec/audit_events on system
installation. The administrator can configure dxaudit to
use the entire list of audit events by using the auditUseSecEvents
X resource. See the X RESOURCES section below
for details. If during execution, dxaudit encounters an
unrecognized event from querying some event mask, the user
will be asked if dxaudit should use full event mode or
security relevant event mode.
Collection Functions [Toc] [Back]
The Current System Mask is the system-wide event mask and
style settings currently in effect. A system event mask
can contain all event types except sub-events to site
events. This screen allows the administrator to query and
change the current system mask, and auditing styles (see
auditmask(8) reference page). dxaudit also provides a
screen via Edit->Object Selection/Deselection to access
the capability to select or deselect audit records regarding
file activity before they are stored in the audit
trail.
The Default System Mask is the value of the AUDITMASK_FLAG
variable as stored in the /etc/rc.config
file. This is essentially the default value of the
system mask each time the system is booted. The
event mask and audit styles can be queried and
saved from this screen. If dxaudit detects that an
event mask is exactly represented by a loaded/saved
file on the system, then it will ask the administrator
if the default system mask should reference
the file name in the AUDITMASK_FLAG variable or
supply the contents of the file in the AUDITMASK_FLAG
variable. The former method provides a
level of indirection so that the administrator
could maintain the default mask by editing a file.
This screen presents a list of the current active
processes on the system. The administrator can
choose a process or a group of processes running as
the same login user (same AUID), query its current
event mask and audit control flags, and change them
as necessary. For active processes, the event mask
cannot contain habitat events or site events; however,
a global option to audit habitat events can
be set. Also, system call event auditing can be
globally turned off.
Reporting Functions [Toc] [Back]
This screen allows the administrator to create, modify, or
delete selection files. Selection files contain parameters
which indicate how audit records will be selected
from the raw audit trail during report generation. The
selection parameters include things like time interval,
audit events, user id. Any audit record matching the
selection criteria will be displayed. All types of audit
events can be used in a selection file. This screen
allows the administrator to create, modify, or delete deselection
files. A deselection file consists of tuples.
The tuple is comprised of a host, audit ID, real UID,
event, file pathname, and access mode. A deselection file
can be used to further reduce audit records when generating
reports. It can be used in combination with a selection
file. Any audit record matching the deselection criteria
will be filtered out from the report stream. This
screen allows the administrator to view an audit report.
A selection file, a deselection file, and an audit log
can be selected to generate a report. Output options
include generating a report to a file, to a series of
files sorted by audit ID, to a window on the screen, or if
audit is currently enabled, to follow the current activity.
Report records can be in brief format or long format.
If in brief format, the administrator can double
click on the record and get a pop-up of the long format.
This resource changes the list of events loaded into all
list boxes with the Base/Site Events heading. Setting the
value to True will use only security relevant audit events
(the set found in /etc/sec/audit_events). Setting the
value to False will make dxaudit use all events on the
system. This includes all system calls, non-system events,
etc. It will slightly impact performance on screen mapping
of those screens containing the event list boxes. It
is recommended that security relevant events be used. The
default value of this resource is true. This resource
changes the display of the Active Process List from the
Modify Active Process Mask screen. Refer to the ps(1)
reference page for additional information. This resource
changes the sorted order of the ps(1) output in the Modify
Active Process Mask screen. Valid options are: for ps(1)
native order for alphabetic ordering by user name. This is
the default value. This resource tells dxaudit how many
256K chunks of memory it can allocate when receiving audit
report data from audit_tool. When the length of the
report exceeds this amount of memory, the oldest 256K
chunk of data is discarded as long as the user is not
viewing it at the moment. This discarded chunk cannot be
accessed again unless the report is regenerated. The
default setting for this resource is 20.
System-wide X Resource file. Security relevant audit
events Site specific audit events. Audit event alias
specification file. Directory containing the audit selection
files. Directory containing the audit deselection
files.
auditd(8), auditmask(8), audit_tool(8), audit_setup(8)
dxaudit(8X)
[ Back ] |