auditset(1M)
auditset --
select or display audit criteria
Synopsis
auditset [-d [-u user[,. . .] | -a]]
auditset [-s [operator]event[,. . .]]
[-e[operator]event[,. . .] -u user[,. . .]|-a]
Description
The auditset shell level command allows the administrator with the
appropriate privileges to set or display the
system and user audit criteria.
The privileges required are audit,
dacread, macread and setplevel.
To set or
display user auditing criteria the specified user(s) must be active.
If no options are supplied on the command line, then the System and User
audit criteria are displayed.
The event input list must be separated by commas, and can be the name of an event
class or event type.
Event classes are defined in the
/etc/security/audit/classes system file.
Additionally, all and none
may be used as event keywords.
For the system and user audit criteria the keyword
none is defined to be the
set of fixed event types and the keyword all is defined to
be the set of all fixed and pre-selectable event types.
Keywords may not be intermixed with event classes or event types.
You may specify only one keyword with each option; you may not, for
example, specify both all and none
for the system audit criteria.
The user input list must be separated by commas,
and can be specified by
either login name or uid.
(Note: auditing is based on real uid).
Only one operator may be specified per option on the command line.
Operators will be ignored when used with the keywords
all and none.
The following are the valid operator values:
[no operator]-
Replace the current auditable event(s)
with the specified input.
+-
Add the specified auditable event(s)
to the current audit criteria.
--
Delete the specified auditable event(s)
from the current audit criteria.
!-
All auditable events except those specified replace the current
auditable events.
The following are the valid command line options.
-d-
If no other options are given, display the current system audit criteria in the format:
System Audit Criteria:
system: all | none | events[,. . .]
-u user[,. . .] | -a-
The -u and -a options are modifiers to the -d option and the -e option.
The -u option is used to request a specific active user or a list of active users.
The -a option is used to request all currently active users.
The -u and -a options can not be used on the same command line.
When used with the -e option user audit criteria is set
(see explanation of -e option).
When used with the -d option,
the system audit criteria is displayed, followed by the user audit
criteria for the given user(s).
The format for the system audit criteria is given under the
description for the -d option.
The format for the user audit criteria display is:
User Audit Criteria:
user1 (uid1): all | none | events[,. . .]
user2 (uid2): all | none | events[,. . .]
(user is the login name and uid the user ID).
-s [operator]event[,. . .]-
Set the system wide auditing criteria.
Any valid event type or event class
will be recorded regardless of the current user
criteria.
-e [operator]event[,. . .] -u user[,. . .] | -a-
Set the auditing criteria for the specified active user(s) or all users.
All processes belonging to the specified user(s) will have their auditing
information updated.
Files
/etc/security/audit/classes
Diagnostics
When invoked successfully,
the auditset command exits with a value of zero (0).
If there are errors, it exits with one of the following values
and prints the corresponding error message:
1-
usage: auditset . . .
Invalid command syntax.
3-
system service not installed
The audit package is not installed.
4-
Permission denied
Failure because of insufficient privilege.
5-
opendir() failed for directory /proc
Unable to obtain a list of the active users on the system.
10-
auditevt() failed AGETSYS, errno =
errno
A failure occurred while retrieving the system audit mask.
10-
auditevt() failed AGETUSR, errno =
errno
A failure occurred while retrieving a user's audit mask.
11-
auditevt() failed ASETSYS, errno =
errno
A failure occurred while setting the system audit mask.
11-
auditevt() failed ASETUSR, errno =
errno
A failure occurred while setting a user's audit mask.
12-
auditctl() failed ASTATUS, errno =
errno
A failure occurred while retrieving the status of auditing.
24-
unable to allocate space
24-
argvtostr() failed
The following warning messages may be displayed:
invalid or inactive user
user specified
-
The argument to the -u option contained an
invalid or inactive user.
References
auditoff(1M),
auditon(1M),
auditrpt(1M),
useradd(1M),
usermod(1M)
Notices
The auditset command sets audit criteria for users dynamically.
When you set audit criteria for a user
with the -e,-u,-a options, the criteria are in effect only
for that login session.
If the user logs out or logs in from another terminal,
the criteria are no longer in effect.
If you want to set audit criteria for all a user's login sessions,
use either the useradd or usermod commands.
© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 25 April 2004