Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Auditing: how to enable?
Operating Systems SCO Auditing: how to enable? Post 302884089 by Scott on Friday 17th of January 2014 11:24:12 AM
Old 01-17-2014
And what's the point of giving the answer when you've deleted the question?

Smilie

The question:
Quote:
I try to set audit on sco server,editing /etc/default/audit
set on,reboot but said

auditset
UX:auditset: ERROR: system service not installed
auditlog
UX:auditlog: ERROR: system service not installed

How to enable it?
Thanks
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

System Auditing

Hi all, Have been asked to learn up on providing Sytem Auditing on two SCO boxes. Where should I start and what pointers can anyone provide. Whilst I'm learning to look after these two SCO boxes, I'm also to eventually look after three Compaq DS20E True64 Unix boxes also in the near future. (2 Replies)
Discussion started by: Cameron
2 Replies

2. HP-UX

Hpux C2 Auditing

I am trying to find out if there are any recommendations regarding what events/system calls should be audited as a starting point. I am new to the auditing side of things and am not really to sure what best to log - any ideas or know of any resources which make recommendations in this respect ??? (1 Reply)
Discussion started by: gmh
1 Replies

3. Solaris

BMS Auditing

Hi, I was wondering if anyone has had the problem I'm having or knows how to fix it. I need to audit one of our servers at work. I turned on BSM auditing and modified the audit_control file to only flag the "lo" class(login/outs) then I rebooted. I viewed the log BSM created and it shows a whole... (0 Replies)
Discussion started by: BlueKalel
0 Replies

4. AIX

User Auditing

i want to audit user commands .. keep track of what commands each user has been giving .. can this be done by writing a script in engraving it in .profile of the user. or is there any other way of doing this ... rgds raj (2 Replies)
Discussion started by: rajesh_149
2 Replies

5. Solaris

how to enable file auditing

Hi expert , Can you show me the steps to enable file auditing ? Thanks . (2 Replies)
Discussion started by: skully
2 Replies

6. UNIX for Advanced & Expert Users

Unix Auditing.

I need to log or 'audit' any access to a shared directory which is stored on a NetApp appliance. I need to be able to 'prove' who has acessed the data in this directory at any time. I am just not sure how to do this. The systems that will be accessing this are Linux systems. Any help is... (2 Replies)
Discussion started by: frankkahle
2 Replies

7. UNIX for Advanced & Expert Users

Auditing

:)I need a little help. I have sent all of our logs to our log server, but I can't send the audit logs that are in /var/log/audit.log. Can someone give me some type of idea to transfer these logs. Thank You (2 Replies)
Discussion started by: aojmoj
2 Replies

8. AIX

Auditing events

Hi there, I want to enable auditing for the following events in a critical AIX UNIX server by editing the /etc/syslog.conf file: Authentication events (login success, login failure, logout) Privilege use events (change to another user etc.) ... (1 Reply)
Discussion started by: venksel
1 Replies

9. Cybersecurity

bash auditing

Hi dear friends I have an RHEL5 installed and I gave all users on it rbash shell, Now I want to audit all commands that they did in there shell once they enter them, Can any guide me to the way Thanks (2 Replies)
Discussion started by: reaky
2 Replies

10. Shell Programming and Scripting

user auditing

Hello, is there some way to track what shell commands some user is executing ? Something like to have some log file where i could see what commands some user used, e.g. rm -r dirname , ls -l .... and so on ... I have 2.6.13-1.1526_FC4smp (9 Replies)
Discussion started by: tonijel
9 Replies

LEARN ABOUT ULTRIX

audit_tool

audit_tool(8)						      System Manager's Manual						     audit_tool(8)

Name
       audit_tool - ULTRIX auditlog reduction tool

Syntax
       /usr/etc/sec/audit_tool [ option ... ] auditlog_filename

Description
       The  presents  a  human-understandable format of selected portions of the collected audit data.	If no arguments are provided, a brief help
       message will be displayed.  The auditlog file may be compressed or uncompressed.  The command will uncompress the auditlog file	if  neces-
       sary, and re-compress it if it was originally compressed.

       Options	are  used  to  select specific audit records of interest.   For a record to be selected, it must match at least one option of each
       option type specified.  For example, if two usernames and one hostname were specified, an audit record to be selected would have  to  match
       one  of	the  usernames and the hostname.  Only one start/end time may be selected.  Only one deselection rulesfile may be selected.  It is
       possible to select as many events as exists on the system.  For all other option types, up to 8 instances may be selected.

Options
       -a audit_id Selects audit records with a matching audit_id.  The default is to select for all audit_id's.

       -b	   Outputs selected records in binary format.  The output is in a format suitable for analysis by the The default is to output	in
		   ASCII format.

       -B	   Outputs  selected  records  in  an abbreviated format.  Each selected event is displayed along with its audit_id, ruid, result,
		   error code, pid, event name, and parameter list.  Suppressed information includes the username, ppid, device id, current direc-
		   tory,  gnode  information, symbolic name referenced by any descriptors, IP address, and timestamp.  The default is to output in
		   the non-abbreviated format.

       -d filename Reads deselection rules from the specified file and suppress any records matching any of the deselection rules.   The  deselec-
		   tion rulesets take precedence over other selection options.	Each deselection rule is a tuple consisting of hostname, audit_id,
		   ruid, event, pathname, and flag.  The flag component is used to specify read or write mode; it pertains only  to  open  events.
		   Wildcarding and simple pattern matching are supported.  Take, for example, the following lines from a deselection file:
		   # HOST, AUID, RUID, EVENT, PATHNAME, FLAG
		   * * * open /usr/lib/* r
		   grumpy * * * /usr/spool/rwho* *
		   These  lines  indicate  that any open operations for read access on any object whose pathname starts with will not be selected,
		   and on system grumpy any operations performed on any object whose pathname starts on will not be  selected.	 (Lines  beginning
		   with  number  signs (#) are treated as comment lines).  Any field can be replaced with an asterisk (*), which indicates a match
		   with any value.  Pathname matching requires an exact match between strings, unless the pathname is suffixed with  an  asterisk,
		   which  matches  any	string	(so, for example, matches The default is to apply no deselection rulesets.  (Specifying the option
		   instead of will additionally print the deselection rulesets to be applied).

       -e event[:success:fail]
		   Selects records with a matching event.  Optionally select only those records with a successful/failed return value.	For  exam-
		   ple,  the option selects for only failed open events.  Multiple events may be specified on the command line.  The default is to
		   select for all events, both successful and failed.

       -E error    Selects records with a matching error.  The default is to select for all errors.

       -f	   Causes the not to quit at and end-of-file, but to continue attempting to read data.	This is useful for reviewing auditlog data
		   as  it  is  being written by the audit daemon.  (For SMP systems, audit data should be sorted first, as descriptor translation,
		   loginname, current directory, and root directory all rely on state information maintained by the

       -g gnode_id Selects records with a matching gnode identifier number.  The default is to select for all gnode id's.

       -G gnode_dev major#,minor#
		   Selects records with matching gnode device major/minor numbers.  The default is to select for all gnode devices.

       -h hostname/IP address
		   Selects records with a matching hostname or IP address.  Hostnames are translated to their IP addresses via the local file.	If
		   the local is not available or contains insufficient information, IP addresses should be used.  The default is to select for all
		   hostnames and IP addresses.

       -i	   Enter interactive selection mode to specify options.  Interactive mode may also be entered by hitting CTRL/C at any time,  then
		   specifying  ``no'' to the exit prompt.  Once in interactive mode, each option will be selected for.	Press Return to accept the
		   current setting (or default); enter an asterisk (*) to change the current setting back to the  default.   The  default,  unless
		   otherwise stated, is to select every audit record.

       -o	   Whenever  the audit daemon switches auditlogs, an audit_log_change event is generated.  If that event did result in an auditlog
		   change (that is, it was an event which occurred on the local system), the will normally attempt to find and	process  the  suc-
		   ceeding  auditlog.	This  is  possible,  however,  only if the auditlog is maintained locally.  The -o option tells the not to
		   process succeeding auditlogs.

       -p pid	   Selects records with a matching pid.  The default is to select for all pids.

       -P ppid	   Selects records with a matching parent pid (ppid).  The default is to select for all ppids.

       -r ruid	   Selects records with a matching read uid (ruid).  The default is to select for all ruids.

       -R	   Generates an ASCII report for each audit_id found in the selected events.  Each report consists of those events selected  which
		   have an audit_id matching that of report suffix.  Report names are of the format report.xxxx, where xxxx is the audit_id.

       -s string   Selects  records  which  contain  string  in  either a parameter field or a descriptor field.  The default is to select for all
		   strings.

       -S	   Performs a sort (by time) on the auditlog.  The sort performed is an inter-cpu sort only (for any specific  cpu,  data  may	be
		   non-sequential  for	events	such  as  fork	and vfork; this information does not need to be sorted for proper operation of the
		   reduction tool).  This option is useful only for data collected on an SMP system.

       -t start_time
		   Selects records which contain a timestamp no earlier than start_time.  Timestamp format is yymmdd[hh[mm[ss]]].  The default	is
		   to select for all timestamps.

       -T end_time Selects records which contain a timestamp no later than start_time.	Timestamp format is yymmdd[hh[mm[ss]]].  The default is to
		   select for all timestamps.

       -u uid	   Selects audit records with a matching uid.  The default is to select for all uid's.

       -U username Selects audit records with a matching username.  Usernames are recorded at the login event and are associated  with	all  child
		   processes.	If login is not audited, no username will be present in the auditlog.  Selecting for a username will display those
		   records which have a matching username.  The default is to select for all usernames.

       -x major#,minor#
		   Selects audit records with matching device major/minor numbers.  The default is to select for all devices.

       The audit reduction tool generates auditlog header files, suffixed with .hdr, when it completes processing of a auditlog file.  If  the	-o
       option  is  used, no auditlog header file is generated.	This header file contains the time range in which the audited operations occurred,
       so searching for events by time requires only those auditlogs which were actually written into during that time	to  be	processed  by  the
       reduction tool.	The header file also contains the sort status of the auditlog, so previously sorted logs don't get sorted more than once.

Restrictions
       The  audit  reduction tool maintains the state of each process in order to translate descriptors back to pathnames, as well as provide cur-
       rent working directory, root, and username.  In order not to run out of memory, should be an audited event.  In order  to  provide  current
       working	directory, should be an audited event.	In order to provide current root (if not /), should be an audited event.  In order to pro-
       vide username, login should be an audited event.

       All state relevant information current at the time of an auditlog change is maintained in the header file.  This allows subsequent scans of
       a specific auditlog to not have any dependencies on previous auditlogs.

Examples
       The following example selects all login, open and creat events performed on system grumpy by any process with audit_id 1123:
       audit_tool -e login -e open -e creat -h grumpy -a 1123 auditlog.000

       The  following  example	applies  deselection file deselect to auditlog.000 and selects for events between 10:47 a.m. on April 13, 1986 and
       5:30 p.m. on April 20, 1986:
       audit_tool -d deselect -t 8604131047 -T 8604201730 auditlog.000

See Also
       auditd(8), auditmask(8)

																     audit_tool(8)
All times are GMT -4. The time now is 06:45 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy