unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (OSF1-V5.1-alpha)
Page:
Section:
Apropos / Subsearch:
optional field



dxaudit(8X)							  dxaudit(8X)



NAME

  dxaudit - Motif Interface for	the Audit Subsystem

SYNOPSIS

  /usr/tcb/bin/dxaudit

DESCRIPTION

  The dxaudit application is a Motif graphical user interface which can	be
  used to administer the audit subsystem.  Three major areas comprise the
  audit	subsystem: Control, Collection,	and Reporting.	Currently, dxaudit
  supports Collection and Reporting only.  See the auditd(8) reference page
  for details on administering the Control function.

  In order to invoke dxaudit, you must be the root user.

  Audit	Event Overview


  Audit	events are comprised of	the following types:

  System Calls
      System calls include all entry points into the UNIX kernel including
      habitat events which are denoted by the <habitat name>/<system call>,
      like `SystemV/open'.

  Trusted Events
      Trusted events are application-defined events which represent higher
      level activity.  For example, login is a trusted event.  To audit	a
      user login at the	system call level would	produce	many audit events,
      whereas to audit the login event would capture essentially the same
      information in a very concise way.

  Site Events
      Site events provide a mechanism for a site to extend the audit
      subsystem's list of audit	events.	 Site events can be defined in
      /etc/sec/site_events.  A site event can contain subevents	which are
      finer-grained audit events within	a site event.

  In addition to these events, the administrator can also combine any of the
  above	events into an event alias.  An	alias can also reference other
  aliases.  Aliases are	stored in /etc/sec/event_aliases.

  For each event, the administrator can	specify	whether	successful
  occurrences, failed occurrences or both are audited or used in a selection
  against a particular audit log.

  dxaudit presents audit events	in specialized Motif widgets that are
  designed to manage audit events.  Alias events are presented in one list
  and system calls, trusted events, and	site events are	presented in a list
  called Base/Site Events.  Once an event is selected, the auditing of
  Successful or	Failed occurrences can be set.	The lists can be managed in a
  global fashion such that by clicking one button the entire list is changed
  -- either by selecting or unselecting	the list of events or by switching
  the settings of the Success or Failure toggle	buttons.  In addition, dxau-
  dit provides interaction between aliases and base/site events	according to
  the following	rules:

   1.  When an alias is	selected, all of the events in that alias are also
       selected.  By default, the per-event Success/Failure setting will be
       to use what is contained	in the alias file.

   2.  Whenever	the Success/Failure setting is changed on an alias, all
       Success/Failure settings	for the	events in that alias will change to
       the same	setting.

   3.  When a Base/Site	event is unselected such that a	Selected Alias is no
       longer a	true representation, the alias will be unselected.

  dxaudit also allows the saving and restoring of event	masks in files so
  that frequently used event masks can be easily recalled.

  By default, dxaudit presents the list	of security relevant events as
  presented in /etc/sec/audit_events on	system installation. The administra-
  tor can configure dxaudit to use the entire list of audit events by using
  the auditUseSecEvents	X resource.  See the X RESOURCES section below for
  details.  If during execution, dxaudit encounters an unrecognized event
  from querying	some event mask, the user will be asked	if dxaudit should use
  full event mode or security relevant event mode.

  Collection Functions


  Modify System	Mask--Current or Default
      The Current System Mask is the system-wide event mask and	style set-
      tings currently in effect.  A system event mask can contain all event
      types except sub-events to site events.  This screen allows the
      administrator to query and change	the current system mask, and auditing
      styles (see auditmask(8) reference page).	 dxaudit also provides a
      screen via Edit->&gt;Object Selection/Deselection to access the capability
      to select	or deselect audit records regarding file activity before they
      are stored in the	audit trail.

      The Default System Mask is the value of the AUDITMASK_FLAG variable as
      stored in	the /etc/rc.config file.  This is essentially the default
      value of the system mask each time the system is booted.	The event
      mask and audit styles can	be queried and saved from this screen. If
      dxaudit detects that an event mask is exactly represented	by a
      loaded/saved file	on the system, then it will ask	the administrator if
      the default system mask should reference the file	name in	the
      AUDITMASK_FLAG variable or supply	the contents of	the file in the
      AUDITMASK_FLAG variable.	The former method provides a level of
      indirection so that the administrator could maintain the default mask
      by editing a file.

  Modify Active	Process	Mask
      This screen presents a list of the current active	processes on the sys-
      tem.  The	administrator can choose a process or a	group of processes
      running as the same login	user (same AUID), query	its current event
      mask and audit control flags, and	change them as necessary.  For active
      processes, the event mask	cannot contain habitat events or site events;
      however, a global	option to audit	habitat	events can be set.  Also,
      system call event	auditing can be	globally turned	off.





  Reporting Functions


  Modify Selection Files
      This screen allows the administrator to create, modify, or delete
      selection	files.	Selection files	contain	parameters which indicate how
      audit records will be selected from the raw audit	trail during report
      generation.  The selection parameters include things like	time inter-
      val, audit events, user id.  Any audit record matching the selection
      criteria will be displayed.  All types of	audit events can be used in a
      selection	file.

  Modify Deselection Files
      This screen allows the administrator to create, modify, or delete
      deselection files.  A deselection	file consists of tuples.  The tuple
      is comprised of a	host, audit ID,	real UID, event, file pathname,	and
      access mode.  A deselection file can be used to further reduce audit
      records when generating reports.	It can be used in combination with a
      selection	file.  Any audit record	matching the deselection criteria
      will be filtered out from	the report stream.

  Generate Reports
      This screen allows the administrator to view an audit report.  A selec-
      tion file, a deselection file,  and an audit log can be selected to
      generate a report.  Output options include generating a report to	a
      file, to a series	of files sorted	by audit ID, to	a window on the
      screen, or if audit is currently enabled,	to follow the current
      activity.	 Report	records	can be in brief	format or long format.	If in
      brief format, the	administrator can double click on the record and get
      a	pop-up of the long format.

X RESOURCES

  auditUseSecEvents
      This resource changes the	list of	events loaded into all list boxes
      with the Base/Site Events	heading.  Setting the value to True will use
      only security relevant audit events (the set found in
      /etc/sec/audit_events).  Setting the value to False will make dxaudit
      use all events on	the system. This includes all system calls, non-
      system events, etc.  It will slightly impact performance on screen map-
      ping of those screens containing the event list boxes.  It is recom-
      mended that security relevant events be used. The	default	value of this
      resource is true.

  auditPsOptions
      This resource changes the	display	of the Active Process List from	the
      Modify Active Process Mask screen.  Refer	to the ps(1) reference page
      for additional information.

  auditPsSortOrder
      This resource changes the	sorted order of	the ps(1) output in the
      Modify Active Process Mask screen.  Valid	options	are:

      ps  for ps(1) native order

      name
	  for alphabetic ordering by user name.	This is	the default value.

  auditMaxReportSections
      This resource tells dxaudit how many 256K	chunks of memory it can	allo-
      cate when	receiving audit	report data from audit_tool.  When the length
      of the report exceeds this amount	of memory, the oldest 256K chunk of
      data is discarded	as long	as the user is not viewing it at the moment.
      This discarded chunk cannot be accessed again unless the report is
      regenerated. The default setting for this	resource is 20.







FILES

  /usr/lib/X11/app-defaults/DXaudit
      System-wide X Resource file.

  /etc/sec/audit_events
      Security relevant	audit events

  /etc/sec/site_events
      Site specific audit events.

  /etc/sec/event_aliases
      Audit event alias	specification file.

  /var/tcb/audit/selection/
      Directory	containing the audit selection files.

  /var/tcb/audit/deselection/
      Directory	containing the audit deselection files.

SEE ALSO

  auditd(8), auditmask(8), audit_tool(8), audit_setup(8)