*** UNIX MANUAL PAGE BROWSER ***

audit_setup(8) System Manager's Manual audit_setup(8) NAME audit_setup - Audit setup script SYNOPSIS /usr/sbin/audit_setup DESCRIPTION The audit_setup script is used interactively to establish the audit en- vironment on your system. The audit_setup script is an interactive, menu-driven utility. The audit_setup script does the following: Establishes startup flags for the audit daemon. The following options to auditd can be set using audit_setup: Destination of audit data Destination of auditd messages Action to take on an overflow condition Enable accepting audit data from remote audit daemons Establishes startup flags for the auditmask. The auditmask establishes which events get audited. This can be speci- fied in one of two ways: Having the auditmask read a list of events from a file Specifying a list of events on the command line Events can refer to system calls, trusted events, site-defined events, or alias names. Creates the /dev/audit device (if needed). Configures a new kernel (if needed). The audit_setup script can also be used to modify your system configu- ration file. You must be root to run audit_setup. EXAMPLE The following is a sample audit_setup session. ******************************************************************** Audit Subsystem Setup Script ******************************************************************** The following steps will be taken to set up audit: 1) establish startup flags for the audit daemon, 2) establish startup flags for the auditmask, 3) create the /dev/audit device (if needed), 4) configure a new kernel (if needed). Do you wish to have security auditing enabled as part of system initialization (answer 'n' to disable) ([y]/n)? y ---------------------------- Audit Daemon Startup Flags ---------------------------- Some of the options to 'auditd' control: 1) destination of audit data, 2) destination of auditd messages, 3) action to take on an overflow condition, 4) enable accepting audit data from remote auditd's. Destination of audit data (file|host:) [/var/audit/auditlog]? <Re- turn> Directory /var/audit/ does not exist; create it now (y/[n])? y Destination of auditd messages [/var/audit/auditd_cons]? <Return> Action to take on an overflow condition may be one of: 1) change audit data location according to '/etc/sec/auditd_loc' 2) suspend auditing until space becomes available 3) overwrite the current auditlog 4) terminate auditing 5) halt the system Action (1-5) [1]? <Return> Don't forget to list in '/etc/sec/auditd_loc' the alternate directories in which to store audit data. Do you wish to edit /etc/sec/auditd_loc now (y/[n])? <Return> Accept data from remote auditd's (y/[n])? y Don't forget to place names of remote hosts from which data may be accepted into '/etc/sec/auditd_clients'. Do you wish to edit /etc/sec/auditd_clients now (y/[n])? y ?auditd_clients a alpha1 alpha1.sales.dec.com . 1,$n 1 alpha1 2 alpha1.sales.dec.com w q Further options are available for advanced users of the audit system (please refer to the auditd manpage). If you wish to specify further options you may do so now (<cr> for none): <Return> Startup flags for 'auditd' set to: -l /var/audit/auditlog -c y -o changeloc -r -s Is this correct ([y]/n)? y ------------------------- Auditmask Startup Flags ------------------------- The auditmask establishes which events get audited. This can be specified by: 1) having the auditmask read a list of events from a file, -or- 2) specifying a list of events on the command line. Events can refer to syscalls, trusted events, site-defined events, or alias names. The file '/etc/sec/audit_events' contains a list of all auditable system calls and trusted (application) events. You may either modify this file or use it as a template. The file '/etc/sec/event_aliases' contains a set of aliases by which logically related groupings of events may be constructed. You may modify this set of aliases to suit your site's requirements. Enter filename with event list or * indicating events will be listed on the command line (<Return> for no events): /etc/sec/audit_events Do you wish to edit /etc/sec/audit_events now (y/[n])? <Return> The auditmask also sets various style flags such as: 1) 'exec_argp' - audit argument vector to exec system calls 2) 'exec_envp' - audit environment vector to exec system calls 3) 'login_uname' - audit recorded username in failed login events Enable exec_argp ([y]/n)? <Return> Enable exec_envp (y/[n])? <Return> Enable login_uname ([y]/n)? <Return> Startup flags for 'auditmask' set to: -s exec_argp -s login_uname < /etc/sec/audit_events Is this correct ([y]/n)? <Return> ---------------------- System Configuration ---------------------- UNWIRE is already configured for security auditing (/sys/conf/UN- WIRE). Would you like to start audit now ([y]/n)? <Return> '/usr/sbin/auditd' started. '/usr/sbin/auditmask' set. ***** AUDIT SETUP COMPLETE ***** FILES A set of aliases by which logically related groupings of events can be constructed. You can modify this set of aliases to suit your site's requirements. A list of hosts from which audit data can be accepted. A list of alternative locations in which auditd stores audit data when an overflow condition is reached. A list of all auditable system calls and trusted (application) events. You can modify this file or use it as a template. RELATED INFORMATION Commands: auditmask(8), auditd(8) Security delim off audit_setup(8)