Open System Services Management and Operations Guide (G06.29+, H06.07+)
Managing Filesets
Open System Services Management and Operations Guide—527191-005
5-12
Auditing a Fileset
Auditing a Fileset
An important component of a secure file system is the ability to trace the history of
security-related operations on objects in the system. OSS security auditing allows you
to collect a history of audited operations—that is, an audit trail—on a specified set of
auditable objects in the system.
OSS security auditing allows you to audit access to objects in the OSS filename space.
Audit commands for OSS objects and operations are provided by Safeguard, and
SAFEART allows you to search for audit records of operations on OSS files.
Using the AUDITENABLED Attribute
The OSS fileset AUDITENABLED attribute determines whether audit records are
generated on objects within the fileset. When another fileset is mounted on an audited
fileset, whether the mounted fileset is audited depends on its own AUDITENABLED
attribute.
The AUDITENABLED attribute is either ON or OFF (the default value). In addition, the
Safeguard global audit setting AUDIT-CLIENT-SERVICE must be ON for fileset
auditing to be in effect (for more information, see the Safeguard Audit Service Manual).
When the AUDITENABLED attribute is ON, audit records are created whenever an
access-control decision is made on an object in the fileset. The AUDITENABLED
attribute can be assigned a value during fileset creation and can be changed at any
time through the OSS Monitor SCF command ALTER FILESET. However, the change
takes effect only when the fileset is next started.
Auditing cannot be controlled directly at the OSS file or directory level. However, the
AUDITENABLED attribute applies to all objects named within the fileset and generates
an audit record at the fileset level. Therefore, if you want to audit a particular file, you
must enable auditing of the fileset that contains that file.
Audited SCF Operations
The following SCF fileset operations are audited:
Note. Guardian files (those under /G) and OSS filesets on other nodes (those accessed
through /E) cannot be assigned the audit-enabled attribute by using OSS Monitor SCF
commands.
SCF Commands Used Actions taken
START FILESET and
STOP FILESET
When an audited fileset is started or stopped, the OSS Monitor
generates a mount/unmount record. The mount point pathname
is present only in the record generated by use of the START
FILESET command.
ADD FILESET and
DELETE FILESET
When a member of the super group (255, nnn) attempts to add
or delete an audited fileset, an audit record is generated.