|
|
When a user logs in who is authenticated locally and not through NIS, the auditing subsystem retrieves their audit event mask from a secure database on the local machine and registers it with the kernel. The audit event mask determines the events for which the user will be audited.
When an NIS user logs in, the auditing subsystem instead attempts to retrieve the user's audit event mask from the NIS map, auditmask.byname, which is held on an NIS master or slave server.
You cannot use the auditcnv(1M) command to create the audit event mask file for an NIS user on an audited NIS client. Follow the procedure given in this section to create a map for the audit event mask on the NIS master server and then propagate this to the other NIS slave servers.
To set up the NIS map for audit event masks, perform the following steps as root on the master server:
You can specify individual audit events or audit event classes (defined in /etc/security/audit/classes) to reference groups of events. See ``Auditable events'' for more information.
The following is an example entry for an NIS user:
brian id_auth,file_makeThis would allow the ad_auth, bad_lvl, create, cron, def_lvl, link, login, mk_node, passwd, sym_create, and unlink events to be audited for the NIS user brian.
all: ypservers passwd group hosts ethers networks \ rpc services protocols netgroup aliases \ publickey netid netmasks TIMEZONE bootparams \ auditmask.byname
auditmask.byname.time: $(DIR)/auditmask.byname @if [ -f $(DIR)/auditmask.byname ]; then \ sed -e "/^#/d" -e s/#.*$$// $(DIR)/auditmask.byname \ | $(MAKEDBM) - $(YPDBDIR)/$(DOM)/auditmask.byname; touch auditmask.byname.time; \ $(ECHO)40 "updated auditmask.byname\n"; \ if [ ! $(NOPUSH) ]; then \ $(YPPUSH) auditmask.byname; \ $(ECHO)41 "pushed auditmask.byname\n"; \ fi \ else \ $(ECHO)42 "could not find $(DIR)/auditmask.byname\n"; \ fiThe sed script eliminates comment and empty lines and feeds the output to makedbm.
auditmask.byname: auditmask.byname.time
If you subsequently need to change the audit event mask for an NIS user, edit the auditmask.byname input file on the master server, and then use ypbuild to rebuild and propagate the map.
See also: