audsys - start or halt the auditing system and set or display audit
audsys [-nf] [-c file -s cafs] [-x file -z xafs]
audsys allows the user to start or halt the auditing system, to
specify the auditing system "current" and "next" audit files (and
their switch sizes), or to display auditing system status information.
This command is restricted to super-users.
The "current" audit file is the file to which the auditing system
writes audit records. When the "current" file grows to either its
Audit File Switch (AFS) size or its File Space Switch (FSS) size (see
audomon(1M)), the auditing system switches to write to the "next"
audit file. The auditing system switches audit files by setting the
"current" file designation to the "next" file and setting the new
"next" file to NULL. The "current" and "next" files can reside on
different file systems.
When invoked without arguments, audsys displays the status of the
auditing system. This status includes information describing whether
auditing is on or off, the names of the "current" and "next" audit
files, and a table listing their switch sizes and the sizes of file
systems on which they are located, as well as the space available
expressed as a percentage of the switch sizes and file system sizes.
audsys recognizes the following options:
-n Turn on the auditing system. The system uses
existing "current" and "next" audit files unless
others are specified with the -c and -x options.
If no "current" audit file exists (such as when
the auditing system is first installed), specify
it by using the -c option.
-f Turn off the auditing system. The -f and -n
options are mutually exclusive. Other options
specified with -f are ignored.
-c file Specify a "current" file. Any existing "current"
file is replaced with the file specified; the
auditing system immediately switches to write to
the new "current" file. The specified file must
be empty or nonexistent, unless it is the
"current" or "next" file already in use by the
Hewlett-Packard Company - 1 - HP-UX Release 11i: November 2000
-s cafs Specify cafs, the "current" audit file switch size
-x file Specify the "next" audit file. Any existing
"next" file is replaced with the file specified.
The specified file must be empty or nonexistent,
unless it is the "current" or "next" file already
in use by the auditing system.
-z xafs Specify xafs, the "next" audit file switch size
If -c but not -x is specified, only the "current" audit file is
changed; the existing "next" audit file remains. If -x but not -c is
specified, only the "next" audit file is changed; the existing
"current" audit file remains.
The -c option can be used to manually switch from the "current" to the
"next" file by specifying the "next" file as the new "current" file.
In this instance, the file specified becomes the new "current" file
and the "next" file is set to NULL.
In instances where no next file is desired, the -x option can be used
to set the "next" file to NULL by specifying the existing "current"
file as the new "next" file.
The user should take care to select audit files that reside on file
systems large enough to accommodate the Audit File Switch (AFS)
desired. audsys returns a non-zero status and no action is performed,
if any of the following situations would occur:
The Audit File Switch size (AFS) specified for either audit file
exceeds the space available on the file system where the file
The AFS size specified for either audit file is less than the
file's current size.
Either audit file resides on a file system with no remaining user
space (exceeds minfree).
All modifications made to the audit system are lost upon reboot. To
make the changes permanent, set AUDITING, PRI_AUDFILE, PRI_SWITCH,
SEC_AUDFILE, and SEC_SWITCH in /etc/rc.config.d/auditing.
A user process will be blocked in the kernel if all of the following
+ the file system containing current audit file is full,
Hewlett-Packard Company - 2 - HP-UX Release 11i: November 2000
+ there is no next audit file or the next audit file is removed,
+ the user process makes an auditable system call or generates
an auditable event.
To recover from the resulting deadlock, the session leader of the
console is killed so that the the administrator can login. Hence
sensitive applications should not be run as session leaders on the
audsys was developed by HP.
/.secure/etc/audnames File maintained by audsys containing
the "current" and "next" audit file
names and their switch sizes.
audit(5), audomon(1M), audctl(2), audwrite(2), audit(4), setsid(2).
Hewlett-Packard Company - 3 - HP-UX Release 11i: November 2000