auditset(1M)


auditset -- select or display audit criteria

Synopsis

auditset [-d [-u user[,. . .] | -a]]

auditset [-s [operator]event[,. . .]]
[-e[operator]event[,. . .] -u user[,. . .]|-a]

Description

The auditset shell level command allows the administrator with the appropriate privileges to set or display the system and user audit criteria. The privileges required are audit, dacread, macread and setplevel.

To set or display user auditing criteria the specified user(s) must be active. If no options are supplied on the command line, then the System and User audit criteria are displayed.

The event input list must be separated by commas, and can be the name of an event class or event type. Event classes are defined in the /etc/security/audit/classes system file. Additionally, all and none may be used as event keywords. For the system and user audit criteria the keyword none is defined to be the set of fixed event types and the keyword all is defined to be the set of all fixed and pre-selectable event types. Keywords may not be intermixed with event classes or event types. You may specify only one keyword with each option; you may not, for example, specify both all and none for the system audit criteria.

The user input list must be separated by commas, and can be specified by either login name or uid. (Note: auditing is based on real uid).

Only one operator may be specified per option on the command line. Operators will be ignored when used with the keywords all and none. The following are the valid operator values:


[no operator]
Replace the current auditable event(s) with the specified input.

+
Add the specified auditable event(s) to the current audit criteria.

-
Delete the specified auditable event(s) from the current audit criteria.

!
All auditable events except those specified replace the current auditable events.

The following are the valid command line options.


-d
If no other options are given, display the current system audit criteria in the format:
   System Audit Criteria:
        system: all | none | events[,. . .]

-u user[,. . .] | -a
The -u and -a options are modifiers to the -d option and the -e option. The -u option is used to request a specific active user or a list of active users. The -a option is used to request all currently active users. The -u and -a options can not be used on the same command line. When used with the -e option user audit criteria is set (see explanation of -e option). When used with the -d option, the system audit criteria is displayed, followed by the user audit criteria for the given user(s). The format for the system audit criteria is given under the description for the -d option. The format for the user audit criteria display is:
   User Audit Criteria:
        user1 (uid1): all | none | events[,. . .]
        user2 (uid2): all | none | events[,. . .]

(user is the login name and uid the user ID).


-s [operator]event[,. . .]
Set the system wide auditing criteria. Any valid event type or event class will be recorded regardless of the current user criteria.

-e [operator]event[,. . .] -u user[,. . .] | -a
Set the auditing criteria for the specified active user(s) or all users. All processes belonging to the specified user(s) will have their auditing information updated.

Files

/etc/security/audit/classes

Diagnostics

When invoked successfully, the auditset command exits with a value of zero (0). If there are errors, it exits with one of the following values and prints the corresponding error message:

1
usage: auditset . . .

Invalid command syntax.


3
system service not installed

The audit package is not installed.


4
Permission denied

Failure because of insufficient privilege.


5
opendir() failed for directory /proc

Unable to obtain a list of the active users on the system.


10
auditevt() failed AGETSYS, errno = errno

A failure occurred while retrieving the system audit mask.


10
auditevt() failed AGETUSR, errno = errno

A failure occurred while retrieving a user's audit mask.


11
auditevt() failed ASETSYS, errno = errno

A failure occurred while setting the system audit mask.


11
auditevt() failed ASETUSR, errno = errno

A failure occurred while setting a user's audit mask.


12
auditctl() failed ASTATUS, errno = errno

A failure occurred while retrieving the status of auditing.


24
unable to allocate space

24
argvtostr() failed

The following warning messages may be displayed:


invalid or inactive user user specified
The argument to the -u option contained an invalid or inactive user.

References

auditoff(1M), auditon(1M), auditrpt(1M), useradd(1M), usermod(1M)

Notices

The auditset command sets audit criteria for users dynamically. When you set audit criteria for a user with the -e,-u,-a options, the criteria are in effect only for that login session. If the user logs out or logs in from another terminal, the criteria are no longer in effect. If you want to set audit criteria for all a user's login sessions, use either the useradd or usermod commands.
© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 25 April 2004