 |
Index for
Section 8X |
|
 |
Alphabetical
listing for D |
|
 |
Bottom of
page |
|
dxaudit(8X)
NAME
dxaudit - Motif Interface for the Audit Subsystem
SYNOPSIS
/usr/tcb/bin/dxaudit
DESCRIPTION
The dxaudit application is a Motif graphical user interface which can be
used to administer the audit subsystem. Three major areas comprise the
audit subsystem: Control, Collection, and Reporting. Currently, dxaudit
supports Collection and Reporting only. See the auditd(8) reference page
for details on administering the Control function.
In order to invoke dxaudit, you must be the root user.
Audit Event Overview
Audit events are comprised of the following types:
System Calls
System calls include all entry points into the UNIX kernel including
habitat events which are denoted by the <habitat name>/<system call>,
like `SystemV/open'.
Trusted Events
Trusted events are application-defined events which represent higher
level activity. For example, login is a trusted event. To audit a
user login at the system call level would produce many audit events,
whereas to audit the login event would capture essentially the same
information in a very concise way.
Site Events
Site events provide a mechanism for a site to extend the audit
subsystem's list of audit events. Site events can be defined in
/etc/sec/site_events. A site event can contain subevents which are
finer-grained audit events within a site event.
In addition to these events, the administrator can also combine any of the
above events into an event alias. An alias can also reference other
aliases. Aliases are stored in /etc/sec/event_aliases.
For each event, the administrator can specify whether successful
occurrences, failed occurrences or both are audited or used in a selection
against a particular audit log.
dxaudit presents audit events in specialized Motif widgets that are
designed to manage audit events. Alias events are presented in one list
and system calls, trusted events, and site events are presented in a list
called Base/Site Events. Once an event is selected, the auditing of
Successful or Failed occurrences can be set. The lists can be managed in a
global fashion such that by clicking one button the entire list is changed
-- either by selecting or unselecting the list of events or by switching
the settings of the Success or Failure toggle buttons. In addition,
dxaudit provides interaction between aliases and base/site events according
to the following rules:
1. When an alias is selected, all of the events in that alias are also
selected. By default, the per-event Success/Failure setting will be
to use what is contained in the alias file.
2. Whenever the Success/Failure setting is changed on an alias, all
Success/Failure settings for the events in that alias will change to
the same setting.
3. When a Base/Site event is unselected such that a Selected Alias is no
longer a true representation, the alias will be unselected.
dxaudit also allows the saving and restoring of event masks in files so
that frequently used event masks can be easily recalled.
By default, dxaudit presents the list of security relevant events as
presented in /etc/sec/audit_events on system installation. The
administrator can configure dxaudit to use the entire list of audit events
by using the auditUseSecEvents X resource. See the X RESOURCES section
below for details. If during execution, dxaudit encounters an unrecognized
event from querying some event mask, the user will be asked if dxaudit
should use full event mode or security relevant event mode.
Collection Functions
Modify System Mask--Current or Default
The Current System Mask is the system-wide event mask and style
settings currently in effect. A system event mask can contain all
event types except sub-events to site events. This screen allows the
administrator to query and change the current system mask, and auditing
styles (see auditmask(8) reference page). dxaudit also provides a
screen via Edit->Object Selection/Deselection to access the capability
to select or deselect audit records regarding file activity before they
are stored in the audit trail.
The Default System Mask is the value of the AUDITMASK_FLAG variable as
stored in the /etc/rc.config file. This is essentially the default
value of the system mask each time the system is booted. The event
mask and audit styles can be queried and saved from this screen. If
dxaudit detects that an event mask is exactly represented by a
loaded/saved file on the system, then it will ask the administrator if
the default system mask should reference the file name in the
AUDITMASK_FLAG variable or supply the contents of the file in the
AUDITMASK_FLAG variable. The former method provides a level of
indirection so that the administrator could maintain the default mask
by editing a file.
Modify Active Process Mask
This screen presents a list of the current active processes on the
system. The administrator can choose a process or a group of processes
running as the same login user (same AUID), query its current event
mask and audit control flags, and change them as necessary. For active
processes, the event mask cannot contain habitat events or site events;
however, a global option to audit habitat events can be set. Also,
system call event auditing can be globally turned off.
Reporting Functions
Modify Selection Files
This screen allows the administrator to create, modify, or delete
selection files. Selection files contain parameters which indicate how
audit records will be selected from the raw audit trail during report
generation. The selection parameters include things like time
interval, audit events, user id. Any audit record matching the
selection criteria will be displayed. All types of audit events can be
used in a selection file.
Modify Deselection Files
This screen allows the administrator to create, modify, or delete
deselection files. A deselection file consists of tuples. The tuple
is comprised of a host, audit ID, real UID, event, file pathname, and
access mode. A deselection file can be used to further reduce audit
records when generating reports. It can be used in combination with a
selection file. Any audit record matching the deselection criteria
will be filtered out from the report stream.
Generate Reports
This screen allows the administrator to view an audit report. A
selection file, a deselection file, and an audit log can be selected
to generate a report. Output options include generating a report to a
file, to a series of files sorted by audit ID, to a window on the
screen, or if audit is currently enabled, to follow the current
activity. Report records can be in brief format or long format. If in
brief format, the administrator can double click on the record and get
a pop-up of the long format.
X RESOURCES
auditUseSecEvents
This resource changes the list of events loaded into all list boxes
with the Base/Site Events heading. Setting the value to True will use
only security relevant audit events (the set found in
/etc/sec/audit_events). Setting the value to False will make dxaudit
use all events on the system. This includes all system calls, non-
system events, etc. It will slightly impact performance on screen
mapping of those screens containing the event list boxes. It is
recommended that security relevant events be used. The default value of
this resource is true.
auditPsOptions
This resource changes the display of the Active Process List from the
Modify Active Process Mask screen. Refer to the ps(1) reference page
for additional information.
auditPsSortOrder
This resource changes the sorted order of the ps(1) output in the
Modify Active Process Mask screen. Valid options are:
ps for ps(1) native order
name
for alphabetic ordering by user name. This is the default value.
auditMaxReportSections
This resource tells dxaudit how many 256K chunks of memory it can
allocate when receiving audit report data from audit_tool. When the
length of the report exceeds this amount of memory, the oldest 256K
chunk of data is discarded as long as the user is not viewing it at the
moment. This discarded chunk cannot be accessed again unless the
report is regenerated. The default setting for this resource is 20.
FILES
/usr/lib/X11/app-defaults/DXaudit
System-wide X Resource file.
/etc/sec/audit_events
Security relevant audit events
/etc/sec/site_events
Site specific audit events.
/etc/sec/event_aliases
Audit event alias specification file.
/var/tcb/audit/selection/
Directory containing the audit selection files.
/var/tcb/audit/deselection/
Directory containing the audit deselection files.
SEE ALSO
auditd(8), auditmask(8), audit_tool(8), audit_setup(8)
|
Index for
Section 8X |
|
|
Alphabetical
listing for D |
|
 |
Top of
page |
|