DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 
Configuring auditing

Setting user audit criteria

User audit criteria can be set with either the auditset, useradd, or usermod commands. Each method has a different effect on the user's audit criteria.

The auditset command sets the user audit criteria dynamically; the changes take effect immediately during the user's current login session. However, the settings are in effect only until the user no longer owns any active processes on the system; that is, the user is not logged in to the system, and has no cron jobs running. If the user logs out from all of their current sessions, and has no cron jobs running, and then logs in again, the audit criteria are no longer in effect. The mask is instead taken from the /etc/security/ia/audit and /etc/security/ia/master files, which are managed by the useradd and usermod commands. To set user audit criteria, via the auditset command, the specified user(s) must be currently logged in.

The useradd or usermod commands set the user audit criteria statically; the changes take effect the next time the user logs in. However, if the user already owned processes on the system, either because they were currently logged in from somewhere else, or because cron was running a job for them, then the audit criteria for the already active processes would apply to the new processes as well. The new user audit criteria is in effect for every subsequent login session until the usermod command is invoked again.

In general, you will use useradd or usermod if there is a set of events that you always want to audit for a given user. You can then use auditset to add events to the user audit criteria to meet special needs. For example, if you suspect that a malicious user has guessed the password for the user wts and has logged in as that user, you could use the auditsetcommand to start auditing all events for the user wts immediately. You could then monitor that user's activities and determine if there had indeed been a breach of security.

The user audit criteria are unaffected by changes in effective user ID, such as when a user changes their effective user ID by using the su(ADM) command.

Setting user audit criteria with auditset

The -e, -a and -u options of the auditset command are used to set user audit criteria. The -e option, like the -s option, requires an event list as its option argument. The keywords all and none and the operators described in ``Operators used in setting auditable events'', are also valid with the -e option. The -u or the -a option must be used with the -e option. The -a option sets audit criteria for all active users on the system, while the -u option sets audit criteria for a specified active user(s).

The argument to -u is either a single user name or a list of user names, each separated by a comma but not a space. (You can use either numeric user IDs or user names.)

For example, to audit all file creations by the user aeb, use the following command:

auditset -u aeb -e file_make

The preceding command replaces the audit criteria for this user with the events in the file_make event class.

To add the set_uid event to the audit criteria for users aeb and xyz use the following command:

auditset -u aeb,xyz -e +set_uid

Setting user audit criteria with useradd or usermod

As mentioned, auditset -e, -u and -a set user audit criteria dynamically and thus effect only current existing processes owned by that user, including all current login sessions for that user, and any cron jobs for that user that may be executing at that time. Any new processes created while such processes exist will also have the same criteria. To set audit criteria for all future login sessions for a user, you need to use the -a option of the useradd or usermod commands.

The useradd command is used to add a new user to the system. It adds a new user entry to the /etc/passwd file and can also create a default user event mask for a new user if you specify the -a option. The argument to this option is either a single event or a list of events, each separated by a comma but not a space. Event classes may also be used as input to the -a option. You cannot use operators in front of the event(s) with the -a option of useradd.

For example, to add dhh as a new user with all directory creation events audited, use the following command:

useradd . . . -a dir_make dhh

The ellipsis (. . .) indicates that you would normally specify other options which are not related to auditing. For more information, see useradd(ADM).

The usermod command can be used to change users' login information after they have been added to the system. To modify the default user event mask or to add one for an existing user, use the -a option of usermod. The argument to this option is either a single event or a list of events, each separated by a comma but not a space. Event classes may also be used as input to the -a option.

For example, earlier the user dhh was added to the system, with a user event mask that audited all directory creations (specified by the dir_make event class). If you want to change the user event mask to audit all file creations instead of all directory creations, enter the following command:

usermod -a file_make dhh

You can use operators described in ``Operators used in setting auditable events'', with the -a option of usermod. For example, assume that after you used useradd to add the user dhh with a user event mask that audited all directory creations (specified by the dir_make event class) you wanted to change the user event mask to include all file creations as well as directory creations.

To change the user event mask for the user dhh use the following command:

usermod -a +file_make dhh

Because the + operator is used, this command adds the events defined by the file_make event class to the existing audit criteria for the user dhh.


NOTE: You must use the login name, not a numeric user ID, to set audit criteria for users with the useradd or usermod commands. Also, you can use only one user name as an argument to either of these commands. If you want to set the same audit criteria for two or more users, you must enter a separate command for each.

Setting a default audit mask for all users

The following sequence will allow you to set a default audit mask for all users:

defadm useradd AUDIT_MASK=event list
rm /etc/security/ia/audit
auditcnv
creatiadb

You can repeat this as necessary if you decide to change the event list. This should be performed when the system is in single-user mode.


Next topic: Displaying audit criteria
Previous topic: Operators used in setting auditable events

© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005