Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Auditing: how to enable?
Operating Systems SCO Auditing: how to enable? Post 302884089 by Scott on Friday 17th of January 2014 11:24:12 AM
Old 01-17-2014
And what's the point of giving the answer when you've deleted the question?

Smilie

The question:
Quote:
I try to set audit on sco server,editing /etc/default/audit
set on,reboot but said

auditset
UX:auditset: ERROR: system service not installed
auditlog
UX:auditlog: ERROR: system service not installed

How to enable it?
Thanks
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

System Auditing

Hi all, Have been asked to learn up on providing Sytem Auditing on two SCO boxes. Where should I start and what pointers can anyone provide. Whilst I'm learning to look after these two SCO boxes, I'm also to eventually look after three Compaq DS20E True64 Unix boxes also in the near future. (2 Replies)
Discussion started by: Cameron
2 Replies

2. HP-UX

Hpux C2 Auditing

I am trying to find out if there are any recommendations regarding what events/system calls should be audited as a starting point. I am new to the auditing side of things and am not really to sure what best to log - any ideas or know of any resources which make recommendations in this respect ??? (1 Reply)
Discussion started by: gmh
1 Replies

3. Solaris

BMS Auditing

Hi, I was wondering if anyone has had the problem I'm having or knows how to fix it. I need to audit one of our servers at work. I turned on BSM auditing and modified the audit_control file to only flag the "lo" class(login/outs) then I rebooted. I viewed the log BSM created and it shows a whole... (0 Replies)
Discussion started by: BlueKalel
0 Replies

4. AIX

User Auditing

i want to audit user commands .. keep track of what commands each user has been giving .. can this be done by writing a script in engraving it in .profile of the user. or is there any other way of doing this ... rgds raj (2 Replies)
Discussion started by: rajesh_149
2 Replies

5. Solaris

how to enable file auditing

Hi expert , Can you show me the steps to enable file auditing ? Thanks . (2 Replies)
Discussion started by: skully
2 Replies

6. UNIX for Advanced & Expert Users

Unix Auditing.

I need to log or 'audit' any access to a shared directory which is stored on a NetApp appliance. I need to be able to 'prove' who has acessed the data in this directory at any time. I am just not sure how to do this. The systems that will be accessing this are Linux systems. Any help is... (2 Replies)
Discussion started by: frankkahle
2 Replies

7. UNIX for Advanced & Expert Users

Auditing

:)I need a little help. I have sent all of our logs to our log server, but I can't send the audit logs that are in /var/log/audit.log. Can someone give me some type of idea to transfer these logs. Thank You (2 Replies)
Discussion started by: aojmoj
2 Replies

8. AIX

Auditing events

Hi there, I want to enable auditing for the following events in a critical AIX UNIX server by editing the /etc/syslog.conf file: Authentication events (login success, login failure, logout) Privilege use events (change to another user etc.) ... (1 Reply)
Discussion started by: venksel
1 Replies

9. Cybersecurity

bash auditing

Hi dear friends I have an RHEL5 installed and I gave all users on it rbash shell, Now I want to audit all commands that they did in there shell once they enter them, Can any guide me to the way Thanks (2 Replies)
Discussion started by: reaky
2 Replies

10. Shell Programming and Scripting

user auditing

Hello, is there some way to track what shell commands some user is executing ? Something like to have some log file where i could see what commands some user used, e.g. rm -r dirname , ls -l .... and so on ... I have 2.6.13-1.1526_FC4smp (9 Replies)
Discussion started by: tonijel
9 Replies

LEARN ABOUT OSF1

auditd

auditd(8)						      System Manager's Manual							 auditd(8)

NAME

       auditd - Audit daemon

SYNOPSIS

       /usr/sbin/auditd [ options ...  ]

FLAGS

   Audit Data and Messages
       Sets  the  pathname  to	which  the audit daemon will post any warning or informational messages (such as "audit log change").  This may be
       either syslog, a device or local file.  By default, messages are logged by syslogd to the daemon.log.  Outputs a brief help  menu.   Causes
       the audit daemon to transfer its audit data to the audit daemon executing on the remote host hostname.  If the remote site stops receiving,
       the local daemon will store its data locally as specified with the -o and -r options to auditd.	Causes the  audit  daemon  to  output  its
       audit data to the local file pathname.  Queries the audit daemon for the current location of the audit data.

   Audit in a Cluster
       Executes auditd across each active memmber of a cluster.

       The following auditd options are not supported when the -cluster option is used: -l hostname: (-l pathname is supported) -p, -s, -t, -u, -z

       The auditd options that are supported under -cluster are as follows: -h, -q, -d, -r, -w, -x, -n, -f, -o

       -c  Each cluster member may write to the same console file
	    or its own syslogd file.

       -l pathname
	    The default audit log pathname is /var/audit/auditlog.hostname.nnn.
	    In a cluster, hostname becomes membername.

	    If the log file name does not already include it, each cluster
	    member appends dot (.) followed by the hostname.  This prevents
	    file name collisions in clusters.  Domain names are removed from
	    the host names.

       -k  Note that a local auditd must be running in order
	    to kill other members of a cluster.

   Audit Control
       Causes  the  audit  subsystem  to dump its currently buffered audit data (from the kernel and the daemon) out to the configured host or log
       file.  The audit daemon normally dumps its buffer only when it approaches capacity.

	      If a frequency (freq) is specified, the audit daemon dumps its data at the specified frequency. The freq is  specified  as  n[wdhms]
	      for weeks, days, hours, minutes, and seconds.  For example, to dump the audit daemon data every 36 hours use the -d 1d12h option.

	      Specifying 0s (zero seconds) disables the previously specified frequency.  Terminates the audit daemon (terminating the local daemon
	      turns audit off).  Specifies the ID of the audit daemon to receive the current options.  When the local audit daemon accepts a  con-
	      nection  to  receive  data  from a remote audit daemon, a dedicated child audit daemon is spawned off from the local audit daemon to
	      service that connection.	With this scenario, multiple audit daemons may exist on a single system.  Specifying the ID of the  auditd
	      allows  for communication with one of the child audit daemons.  The ID for each daemon can be found by entering the following at the
	      command line:

	      # /usr/sbin/auditd -w

	      The previous command line displays the current options. No IDs are displayed unless at least one child audit daemon exists.  If  the
	      -p  option is not specified when running with more than one audit daemon, the master daemon (accepting audit data for the local sys-
	      tem) handles the request.  When the master daemon is terminated, it terminates all of its child daemons.	Reads a list  of  directo-
	      ries  into  which  auditd  may  switch  its  audit  log  file  when  an  overflow  condition  is reached.  The list is maintained in
	      /etc/sec/auditd_loc.  The maximum size of the list (/etc/sec/auditd_loc) is 8 Kbytes.  The -r  option  is  used  when  the  overflow
	      action  is  set  to changeloc (auditd -o changeloc).  Shows the current status of the audit daemons options.  Auditlog pathnames are
	      always appended with a suffix consisting of a generation number.	These generation numbers range from 000 to 999.  (Generation  num-
	      bers  may  be  overridden  with  an  explicit  generation number specification on the pathname for the -l option, for example audit-
	      log.hostname.345). The -x option causes a change in auditlog to the next auditlog in the generation number sequence.  (If  the  cur-
	      rent  log  was auditlog.hostname.345, then -x would change the log to auditlog.hostname.346).  Whenever an auditlog is closed, it is
	      also compressed (by /usr/ucb/compress).  This option is used to start the audit daemon server on a system not configured for audit.

	      The -z option removes any AF_UNIX sockets left by previous daemons.  This situation can occur when the system shuts down abnormally.
	      If no AF_UNIX socket is present, the next invocation of will start the daemon.  If an AF_UNIX socket is present, the next invocation
	      of spawns a client process which communicates with the system audit daemon.  This -z option should be used only when no audit daemon
	      is present on the system.

   Network
       Sets  the  size of the audit daemons buffer for the audit data (minimum is 4).  Toggles the network server switch.  If on, allows the audit
       daemon to accept audit data from other audit daemons whose host names are specified in the /etc/sec/auditd_clients file.  Sets the  timeout
       value used in establishing initial connections with remote audit daemons.  Instructs the client audit daemon to not require acknowledgement
       from the server (machine collecting audit data) for the reciept of audit data sent over the network.  The -u option is used for compatibil-
       ity with servers that are running versions of DIGITAL UNIX prior to Version 4.0D.

   Overflow Control
       Sets  the minimum percent free space on the current partition before an overflow condition is triggered.  Sets the action that auditd takes
       on an overflow condition.  The following actions are available for the -o option: Change to the next directory or host machine  (auditd	on
       the host machine determines the path) as specified in the /etc/sec/auditd_loc file.  Suspend auditing.
       Overwrite  the current audit log file.  This action causes the loss of previously logged audit data.  Terminates the audit daemon.  Immedi-
       ately halts the system by doing a reboot.

DESCRIPTION

       The audit daemon, auditd, operates as a server, monitoring /dev/audit for local audit data, monitoring a known port for	data  from  remote
       cooperating audit daemons, and monitoring an AF_UNIX socket for input from the system administrator.

       Local  audit data is shared with the /dev/audit device, and eventually is sent to the auditlog when the buffer nears capacity or the daemon
       receives an explicit instruction from the administrator to flush its buffer.

       Local administrative data is read via the socket /dev/.audit/audS.  Input from the system administrator allows for changing of the daemon's
       configurable  options.  The administrator communicates with the audit daemon by executing auditd with the desired options.  The first invo-
       cation of auditd spawns the daemon; subsequent invocations detect that an audit daemon already exists and will communicate with it, passing
       along  directions  for  the selected options.  The first invocation of the daemon also turns on auditing for the system (audcntl(2)).  When
       the daemon is terminated, by the -k option or the SIGTERM signal, auditing is turned off.  It is important  not	to  have  system  auditing
       turned  on  when there is no audit daemon running on the system (processes being audited will sleep on resources under control of the audit
       system).

       Remote audit data is first detected when a client (remote) audit daemon attempts to communicate with the server (local) audit  daemon.	To
       establish  a communications path between the client and the server daemons, the client's host name is first checked against a list of hosts
       allowed to transmit data to the server. This list is maintained on the server in /etc/sec/auditd_clients.  If  the  client  is  allowed	to
       transfer audit data to the server, a child audit daemon dedicated to communicating with that client is spawned.

       Any  data transferred from the client to the server is acknowledged (ack'ed) by the server.  If the data transfer fails, the client follows
       its "overflow" option.  For communication with servers on systems prior to Version 4.0D, the client must use the -u  option,  because  data
       acknowledgment was not used on earlier systems.

       The  audit  daemon  can	be  terminated	by using either of the following commands: # rcmgr -c delete AIDITMASK_FLAG # rcmgr -c delete AID-
       ITD_FLAG or # auditmask [-cluster] -n # auditd [-cluster] -dk

   Running auditd in a Cluster
       The auditd daemon runs on each member of a cluster and logs to a common /var/audit directory by default.  Audit log files now  include  the
       host name to prevent file name overlap.	The -cluster option can be used to modify each active member of a cluster.  Restrictions are noted
       in the -cluster flag's description.  When reading a file with the -cluster opton, make sure the file is visible to each cluster member.

FILES

RELATED INFORMATION

       Commands: auditconfig(8)

       Functions: audcntl(2)

       Files: audit(7) delim off

																	 auditd(8)
All times are GMT -4. The time now is 03:27 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy