auditset(1M)

Synopsis

auditset [-s [operator]event[,. . .]]
[-e[operator]event[,. . .] -u user[,. . .]|-a]

Description

To set or display user auditing criteria the specified user(s) must be active. If no options are supplied on the command line, then the System and User audit criteria are displayed.

The event input list must be separated by commas, and can be the name of an event class or event type. Event classes are defined in the /etc/security/audit/classes system file. Additionally, all and none may be used as event keywords. For the system and user audit criteria the keyword none is defined to be the set of fixed event types and the keyword all is defined to be the set of all fixed and pre-selectable event types. Keywords may not be intermixed with event classes or event types. You may specify only one keyword with each option; you may not, for example, specify both all and none for the system audit criteria.

The user input list must be separated by commas, and can be specified by either login name or uid. (Note: auditing is based on real uid).

Only one operator may be specified per option on the command line. Operators will be ignored when used with the keywords all and none. The following are the valid operator values:

[no operator]

Replace the current auditable event(s) with the specified input.

+

Add the specified auditable event(s) to the current audit criteria.

-

Delete the specified auditable event(s) from the current audit criteria.

!

All auditable events except those specified replace the current auditable events.

The following are the valid command line options.

-d

If no other options are given, display the current system audit criteria in the format:

   System Audit Criteria:
        system: all | none | events[,. . .]

-u user[,. . .] | -a

The -u and -a options are modifiers to the -d option and the -e option. The -u option is used to request a specific active user or a list of active users. The -a option is used to request all currently active users. The -u and -a options can not be used on the same command line. When used with the -e option user audit criteria is set (see explanation of -e option). When used with the -d option, the system audit criteria is displayed, followed by the user audit criteria for the given user(s). The format for the system audit criteria is given under the description for the -d option. The format for the user audit criteria display is:

   User Audit Criteria:
        user1 (uid1): all | none | events[,. . .]
        user2 (uid2): all | none | events[,. . .]

(user is the login name and uid the user ID).

-s [operator]event[,. . .]

Set the system wide auditing criteria. Any valid event type or event class will be recorded regardless of the current user criteria.

-e [operator]event[,. . .] -u user[,. . .] | -a

Set the auditing criteria for the specified active user(s) or all users. All processes belonging to the specified user(s) will have their auditing information updated.

Files

Diagnostics

1

usage: auditset . . .

Invalid command syntax.

3

system service not installed

The audit package is not installed.

4

Permission denied

Failure because of insufficient privilege.

5

opendir() failed for directory /proc

Unable to obtain a list of the active users on the system.

10

auditevt() failed AGETSYS, errno = errno

A failure occurred while retrieving the system audit mask.

10

auditevt() failed AGETUSR, errno = errno

A failure occurred while retrieving a user's audit mask.

11

auditevt() failed ASETSYS, errno = errno

A failure occurred while setting the system audit mask.

11

auditevt() failed ASETUSR, errno = errno

A failure occurred while setting a user's audit mask.

12

auditctl() failed ASTATUS, errno = errno

A failure occurred while retrieving the status of auditing.

24

unable to allocate space

24

argvtostr() failed

The following warning messages may be displayed:

invalid or inactive user user specified

The argument to the -u option contained an invalid or inactive user.

References

Notices