DOC HOME
SITE MAP
MAN PAGES
GNU INFO
SEARCH
PRINT BOOK
Auditing your system
Overview of the auditing subsystem
The purpose of auditing
How auditing works
Audit event masks
System event masks
User event masks
Object level event mask
Kernel audit processing
Checking for auditable events
Writing audit data
Overview of auditable event types and classes
Managing the audit event log file
Controlling the auditing subsystem
Setting auditing parameters
Overview of tunable parameters for auditing
Auditing commands
Installing the auditing subsystem
Using pkgadd to install the auditing software
Using pkgchk to verify audit software installation
Configuring auditing
Default configuration settings for the auditing subsystem
Tunable parameters for auditing
Auditing's tunable parameters file
Description of auditing tunables
The ADT_NBUF tunable
The ADT_BSIZE tunable
The ADT_LWP_BSIZE tunable
The ADT_NLVLS tunable
Displaying or changing a tunable parameter for auditing
Configuring the /etc/default/audit file
The /etc/default/audit file
Deciding whether to use DISABLE or SHUTDOWN
Using defadm to configure the log file and audit actions
Configuring auditing with the auditlog command
Specifying the type and location of the audit event log file with auditlog
Using auditlog to specify the name of the audit event log file
Using auditlog to specify the high water mark
Writing records directly to the log file
Using auditlog to specify the size of the log file
Using auditlog to specify the action when the log file is full
Specifying continuous auditing
Specifying an alternate log file
Displaying auditing subsystem settings
Setting audit criteria with the auditset command
Using auditset to set system-Wide audit criteria
Setting user audit criteria
Setting user audit criteria with auditset
Setting user audit criteria with useradd or usermod
Setting a default audit mask for all users
Displaying audit criteria
Auditing NIS users
Starting and stopping the audit subsystem
Starting auditing from the command line
Stopping auditing from the command line
Starting the audit subsystem with /etc/init.d/audit
A quick reference to enabling audit
Auditable events
Auditable event data types
Common data for auditable events
Object data for auditable events
Fixed events
Selectable events
Access control events
Discretionary access control (DAC) events
Directory and file access events
Directory and file creation events
Symbolic link events
Change of path events
System administration events
Privileged events
Line printer system events
Interprocess communication (IPC) events
Process control events
User authentication events
I/O control events
Dynamic loadable module (DLM) events
Processor binding events
Processor state events
Event classes
Deciding which events to audit
Maintaining the auditing system
Archiving audit information
Recovering audit information from system memory
Displaying audit trail information
Format of auditrpt output
Displaying information from the audit log
Combining reporting options
Using the -o option
Displaying information by event
Displaying information about users
Displaying information by object identity
Displaying information by object type
Displaying information about privileges
Displaying information about a time interval
Displaying information by event outcome
Including LWP information in an audit report
Additional auditrpt options
The -b option
The -w option
Processing miscellaneous records
Displaying information from multiple logs
The audit map file
Specifying the auditmap directory
The auditfltr command
Translating log files with the auditfltr command
A quick reference to reporting audit data
Summary of auditable events and classes
Table of auditable events
Table of auditable event classes