Configuring auditing

Using auditset to set system-Wide audit criteria

The system event mask applies to all nonexempt processes on the system and at a minimum always contains the fixed events. Selectable events may be added and deleted at the discretion of the administrator, but the fixed events cannot be altered. Audit criteria can be set before or after auditing is enabled.

The -s option of auditset is used to set the system wide audit criteria. The argument to the -s option, referred to as an event list, may consist of one or more events or event classes. If the event list contains more than one event, each item in the list must be separated by a comma.

Additionally, all and none may be used as event keywords. For the system event mask, all is defined to be the set of all fixed and selectable events and none is defined to be the set of all fixed events. Keyword(s) will be ignored if intermixed with events and event classes.

There are three valid operators that may precede an event list. Only one operator may be specified per event list. The following table describes the meaning of each operator.

Operators used in setting auditable events

Operator Meaning
[no operator] Replace the current set of auditable events with the ones listed.
+ Add the event(s) to the current set of auditable events.
- Delete the event(s) from the current set of auditable events.
! Audit all events except the event(s) listed.

For example, if you want to add all events related to file creation to the current system-wide audit criteria use the following command:

auditset -s +file_make

On the other hand, if you want to delete all events related to file creation from the current system wide audit criteria type the following command:

auditset -s -file_make

If you want the system wide audit criteria to contain only the kill and ulimit events, enter the following command:

auditset -s kill,ulimit

Next topic: Setting user audit criteria
Previous topic: Setting audit criteria with the auditset command

© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005