auditon(1M)


auditon -- enable auditing

Synopsis

auditon

Description

The auditon shell level command allows the administrator with the appropriate privileges to enable auditing. The privileges required are audit, dacread, macwrite and setplevel.

When auditon is invoked, it retrieves the default values for the AUDIT_LOGERR, AUDIT_LOGFULL, and AUDIT_DEFPATH parameters from the /etc/default/audit file. If access to the file is denied or if any of the key words is missing or invalid, an error message is printed (see ``Diagnostics''). The default value for the AUDIT_LOGERR and AUDIT_LOGFULL parameters is DISABLE. The default value for the AUDIT_DEFPATH parameter is /var/audit.

If the event log file is a regular file, the AUDIT_NODE parameter is evaluated. If the value of AUDIT_NODE is longer than 7 characters or contains a slash, it is not used and no node name is appended to the log file name. If the value of AUDIT_NODE is valid, it is appended to the log file name.

If the value of AUDIT_LOGFULL is SWITCH, the AUDIT_PGM parameter is evaluated. If the value of AUDIT_PGM is valid, it is used as the absolute pathname of a program to execute when a log switch occurs. The AUDIT_DEFPATH and AUDIT_NODE parameters are also evaluated, and their values used for the alternate log file name and alternate node name.

The auditlog command may be used to override all but the AUDIT_LOGERR parameter.

When auditon is invoked, it initializes the audit event log file. If auditon is invoked when the maximum number of audit files already exist, an error message is displayed (see ``Diagnostics''). In such cases, editing /etc/default/audit to change the AUDIT_DEFPATH parameter controlling which directory log files will be placed may be helpful.

If the event log file cannot be accessed an error message is displayed (see ``Diagnostics''). When the auditon command completes successfully, the following message is displayed:

   Auditing enabled filename

In this case, filename is the name of the audit log file.

The auditon command invokes the auditmap command to create the audit map files.

Auditing remains enabled while the system is running until the auditoff command is executed, or the log full condition of DISABLE or SHUTDOWN occurs, or an audit error is encountered.

If the Linux Kernel Personality (LKP) is installed, note that auditing cannot provide audit records for Linux mode activities on your system. You must either accept that Linux mode events will not be audited, or disable the LKP. If the auditon command is issued without a -e lkp or -d lkp option, you are prompted as follows:

   [1] Allow Linux mode activities to continue but with no audit records
   [2] Disable all Linux mode activities now (Linux binaries will coredump,
       auditing is enabled and complete).
   [3] Abort auditon, make no change to audit or Linux mode at this time.
          Choose 1, 2, or 3:"

The auditon command has the following options:


-e lkp
The -e lkp option enables auditing for UNIX mode and permits Linux mode activities if LKP is installed, but Linux mode events are not audited.

-d lkp
The -d lkp option enables auditing but completely disables LKP. You might want to warn users before disabling the LKP. If Linux binaries are running when the LKP is disabled, they will core dump.

Files

/etc/default/audit
/var/audit/MMDD###
/etc/init.d/audit
/etc/rc2.d/S02audit

Diagnostics

On successful completion, the auditon command exits with a value of zero (0). If there is an error, it exits with one of the following values and prints the corresponding error message:

1
usage: auditon

Invalid command syntax.


3
system service not installed

The audit package is not installed.


4
Permission denied

Failure because of insufficient privilege.


8
auditlog() failed ALOGGET, errno = errno

Failure occurred while getting audit log file attributes.


9
auditlog() failed ALOGSET, errno = errno

Failure occurred while setting audit log file attributes.


12
auditctl() failed ASTATUS, errno = errno

Failure occurred while retrieving the status of auditing.


17
cannot access event log current log file

Failure occurred while attempting to enable auditing.


17
Internal error, errno = errno

Failure occurred while attempting to enable auditing.


17
the maximum (999) number of audit event log files for a given day exist

The maximum number of audit event log files exist, auditing is not enabled.


17
auditing abnormally terminated log file

Before command completion auditing was terminated by another process.


24
unable to malloc space

24
argvtostr() failed

33
exec of program name failed

36
fork() failed

The following warning messages may be printed:


Auditing already enabled

none or invalid AUDIT_LOGERR=value found in /etc/default/audit

cannot access /etc/default/audit
The /etc/default/audit file cannot be accessed. Default values described in the DESCRIPTION section are used. Auditing is enabled.

none or invalid AUDIT_LOGFULL=value found in /etc/default/audit

none or invalid AUDIT_DEFPATH=value found in /etc/default/audit

auditlog() failed ALOGGET, errno = errno
Auditing is enabled, however failure occurred when retrieving audit log attributes before changing owner/group of audit log file.

References

auditdmp(2), auditlog(1M), auditmap(1M), auditoff(1M), auditrpt(1M), auditset(1M), defadm(1M)
© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 25 April 2004