DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 

Auditing your system



Overview of the auditing subsystem
        The purpose of auditing
        How auditing works
                Audit event masks
                        System event masks
                        User event masks
                        Object level event mask
                Kernel audit processing
                        Checking for auditable events
                        Writing audit data
        Overview of auditable event types and classes
        Managing the audit event log file
        Controlling the auditing subsystem
                Setting auditing parameters
                Overview of tunable parameters for auditing
        Auditing commands

Installing the auditing subsystem
        Using pkgadd to install the auditing software
        Using pkgchk to verify audit software installation

Configuring auditing
        Default configuration settings for the auditing subsystem
        Tunable parameters for auditing
                Auditing's tunable parameters file
                Description of auditing tunables
                        The ADT_NBUF tunable
                        The ADT_BSIZE tunable
                        The ADT_LWP_BSIZE tunable
                        The ADT_NLVLS tunable
                Displaying or changing a tunable parameter for auditing
        Configuring the /etc/default/audit file
                The /etc/default/audit file
                        Deciding whether to use DISABLE or SHUTDOWN
                        Using defadm to configure the log file and audit actions
        Configuring auditing with the auditlog command
                Specifying the type and location of the audit event log file with auditlog
                Using auditlog to specify the name of the audit event log file
                Using auditlog to specify the high water mark
                        Writing records directly to the log file
                Using auditlog to specify the size of the log file
                Using auditlog to specify the action when the log file is full
        Specifying continuous auditing
                Specifying an alternate log file
        Displaying auditing subsystem settings
        Setting audit criteria with the auditset command
                Using auditset to set system-Wide audit criteria
                Setting user audit criteria
                        Setting user audit criteria with auditset
                        Setting user audit criteria with useradd or usermod
                        Setting a default audit mask for all users
                Displaying audit criteria
        Auditing NIS users
        Starting and stopping the audit subsystem
                Starting auditing from the command line
                Stopping auditing from the command line
                Starting the audit subsystem with /etc/init.d/audit
        A quick reference to enabling audit

Auditable events
        Auditable event data types
                Common data for auditable events
                Object data for auditable events
        Fixed events
        Selectable events
                Access control events
                        Discretionary access control (DAC) events
                        Directory and file access events
                        Directory and file creation events
                        Symbolic link events
                        Change of path events
                System administration events
                        Privileged events
                Line printer system events
                Interprocess communication (IPC) events
                Process control events
                User authentication events
                I/O control events
                Dynamic loadable module (DLM) events
                Processor binding events
                Processor state events
        Event classes
        Deciding which events to audit

Maintaining the auditing system
        Archiving audit information
        Recovering audit information from system memory

Displaying audit trail information
        Format of auditrpt output
        Displaying information from the audit log
                Combining reporting options
                        Using the -o option
                Displaying information by event
                Displaying information about users
                Displaying information by object identity
                Displaying information by object type
                Displaying information about privileges
                Displaying information about a time interval
                Displaying information by event outcome
                Including LWP information in an audit report
                Additional auditrpt options
                        The -b option
                        The -w option
                Processing miscellaneous records
                Displaying information from multiple logs
        The audit map file
                Specifying the auditmap directory
        The auditfltr command
                Translating log files with the auditfltr command
        A quick reference to reporting audit data

Summary of auditable events and classes
        Table of auditable events
        Table of auditable event classes