When auditon is invoked, it retrieves the default values for the AUDIT_LOGERR, AUDIT_LOGFULL, and AUDIT_DEFPATH parameters from the /etc/default/audit file. If access to the file is denied or if any of the key words is missing or invalid, an error message is printed (see ``Diagnostics''). The default value for the AUDIT_LOGERR and AUDIT_LOGFULL parameters is DISABLE. The default value for the AUDIT_DEFPATH parameter is /var/audit.
If the event log file is a regular file, the AUDIT_NODE parameter is evaluated. If the value of AUDIT_NODE is longer than 7 characters or contains a slash, it is not used and no node name is appended to the log file name. If the value of AUDIT_NODE is valid, it is appended to the log file name.
If the value of AUDIT_LOGFULL is SWITCH, the AUDIT_PGM parameter is evaluated. If the value of AUDIT_PGM is valid, it is used as the absolute pathname of a program to execute when a log switch occurs. The AUDIT_DEFPATH and AUDIT_NODE parameters are also evaluated, and their values used for the alternate log file name and alternate node name.
The auditlog command may be used to override all but the AUDIT_LOGERR parameter.
When auditon is invoked, it initializes the audit event log file. If auditon is invoked when the maximum number of audit files already exist, an error message is displayed (see ``Diagnostics''). In such cases, editing /etc/default/audit to change the AUDIT_DEFPATH parameter controlling which directory log files will be placed may be helpful.
If the event log file cannot be accessed an error message is displayed (see ``Diagnostics''). When the auditon command completes successfully, the following message is displayed:
Auditing enabled filename
In this case, filename is the name of the audit log file.
The auditon command invokes the auditmap command to create the audit map files.
Auditing remains enabled while the system is running until the auditoff command is executed, or the log full condition of DISABLE or SHUTDOWN occurs, or an audit error is encountered.
If the Linux Kernel Personality (LKP) is installed, note that auditing cannot provide audit records for Linux mode activities on your system. You must either accept that Linux mode events will not be audited, or disable the LKP. If the auditon command is issued without a -e lkp or -d lkp option, you are prompted as follows:
[1] Allow Linux mode activities to continue but with no audit records [2] Disable all Linux mode activities now (Linux binaries will coredump, auditing is enabled and complete). [3] Abort auditon, make no change to audit or Linux mode at this time. Choose 1, 2, or 3:"
The auditon command has the following options:
usage: auditon
Invalid command syntax.
system service not installed
The audit package is not installed.
Permission denied
Failure because of insufficient privilege.
auditlog() failed ALOGGET, errno =
errno
Failure occurred while getting audit log file attributes.
auditlog() failed ALOGSET, errno =
errno
Failure occurred while setting audit log file attributes.
auditctl() failed ASTATUS, errno =
errno
Failure occurred while retrieving the status of auditing.
cannot access event log
current log file
Failure occurred while attempting to enable auditing.
Internal error, errno =
errno
Failure occurred while attempting to enable auditing.
the maximum (999) number of audit event log files for a given day exist
The maximum number of audit event log files exist, auditing is not enabled.
auditing abnormally terminated
log file
Before command completion auditing was terminated by another process.
unable to malloc space
argvtostr() failed
exec of
program name failed
fork() failed
The following warning messages may be printed:
Auditing already enabled
none or invalid AUDIT_LOGERR=value found in /etc/default/audit
cannot access /etc/default/audit
none or invalid AUDIT_LOGFULL=value found in /etc/default/audit
none or invalid AUDIT_DEFPATH=value found in /etc/default/audit
auditlog() failed ALOGGET, errno =
errno