Safeguard Audit Service Manual (G06.24+, H06.03+)
Specifying Auditing
Safeguard Audit Service Manual—520480-014
2-11
Auditing Events Performed by a Specific User
AUDIT-MANAGE-FAIL is specified, the failed operation is recorded in the current
audit file.
Auditing Events Performed by a Specific User
You can specify auditing for events performed by a specific user ID through the AUDIT-
USER-ACTION attributes in the user authentication record. These attributes are set at
logon time. Modifications of these attributes do not take effect immediately for user IDs
that are already logged on. Users must log on again for the attributes to take place.
These attributes enable the auditing of user actions that involve the Safeguard
subsystem, in particular:
•
Attempts to access any of these types of objects (even if they are not protected by
a Safeguard record):
°
Disk files, subvolumes, and volumes
°
Processes and subprocesses
°
Devices and subdevices
•
Attempts to create or manage Safeguard protection records
These attributes enable auditing for user actions.
specifies the conditions under which successful actions performed by the user are
recorded in the current audit file.
specifies the conditions under which unsuccessful actions performed by the user are
recorded in the current audit file.
The audit-spec variable for AUDIT-USER-ACTION-PASS and AUDIT-USER-
ACTION-FAIL can be any one of these four values:
ALL
All attempts made by the user are recorded in the current audit file.
LOCAL
Local attempts made by the user are recorded in the current audit file. (A local
attempt is made by a user logged on to this system.)
REMOTE
Remote attempts made by the user are recorded in the current audit file. (A remote
attempt is made by a network user logged on to a remote system.)
AUDIT-USER-ACTION-PASS audit-spec
AUDIT-USER-ACTION-FAIL audit-spec