audsys.1m (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

audsys(1M) audsys(1M)

The user must be careful to select audit trails that reside on ﬁle systems large enough to accommodate

the AuditFileSwitch (AFS) desired.

audsys returns a non-zero status and no action is performed if any of the following situations occur:

• The AuditFileSwitch (AFS) size speciﬁed for either audit trail exceeds the space available on the

ﬁle system where the trail resides.

• The AFS size speciﬁed for either audit trail is less than the trail’s current size.

• The audit trail resides on a ﬁle system with no remaining user space (exceeds minfree , see the

-m minfree option in tunefs (1M)).

EXAMPLES

Example 1:

Turn on the auditing system and start recording data to

/var/.audit/my_trail

using 2 writer

threads. Also set the AuditFileSwitch (AFS) size to 1000 Kbytes. The

-N 2, speciﬁes that the audit trail

will be a directory with two ﬁles,

spu0 and spu1.

# audsys -n -N 2 -c /var/.audit/my_trail -s 1000

Because the AuditFileSwitch (AFS) size is set to 1000 Kbytes, the auditing system is going to monitor the

growth of

/var/.audit/my_trail

in size (see also audomon(1M)). When the size has reached

approximately 1000 Kbytes, the auditing system will try to switch recording data to the following ﬁle:

/var/.audit/my_trail.

yyyymmdd_HHMM

where yyyymmdd

_HHMM is replaced by the time and date when the switch occurred.

Example 2:

Turn off the auditing system.

# audsys -f

The -f option causes any buffered data to be written out to the current audit trail. And the auditing sys-

tem will stop recording any data after that.

Example 3:

Turn on the auditing system in compatibility mode.

# audsys -n -N 0 -c /var/.audit/my_trail -s 1000

This example is the same as Example 1 except that /var/.audit/my_trail

will be present on the

ﬁle system as a regular ﬁle instead of a directory because

-N 0

is speciﬁed.

WARNINGS

Compatibility mode and the

-x option are solely supported for backward compatibility and will be

obsoleted in any future releases after HP-UX 11i Version 3.

All modiﬁcations made to the audit system are lost upon reboot. To make the changes permanent, set

AUDITING, PRI_AUDFILE, PRI_SWITCH, SEC_AUDFILE, SEC_SWITCH, and NTHREADS in

/etc/rc.config.d/auditing.

A user process will be blocked in the kernel if all of the following events occur:

• The ﬁle system containing the current audit trail is full.

• If the "next" audit trail is speciﬁed, the ﬁle system containing this audit trail is full.

• The user process makes an auditable system call or generates an auditable event.

A user process will also be blocked in the kernel if both of these events occur:

• The pre-allocated kernel audit data buffer is full.

• The user process makes an auditable system call or generates an auditable event.

In order to recover from the resulting deadlock, it will be necessary to kill the session leader of the con-

sole so that the administrator can login. For this reason sensitive applications must not be run as session

leaders on the console.

HP-UX 11i Version 3: September 2010 − 3 − Hewlett-Packard Company 3