audsys(1M)audsys(1M)NAMEaudsys - start/halt the auditing system; set/display auditing system
status information
SYNOPSIS
num] file | directory cafs] file | directory xafs]
DESCRIPTION
allows the user to do the following operations: start or halt the
auditing system; specify the auditing system "current" and "next" audit
trails and their switch sizes; display auditing system status informa‐
tion; and, for regular mode, specify the number of active files that
comprise an audit trail.
If the number of files specified by the option is greater than or equal
to one (regular mode), the audit trail will be present on the file sys‐
tem as a directory with multiple files in it.
If the number specified is zero (compatibility mode), the audit trail
will be contained in a single file. Compatibility mode is solely sup‐
ported for backward compatibility and will be obsoleted in any future
releases after HP-UX 11i Version 3.
The command is restricted to privileged users.
The "current" audit trail is the file or directory to which the audit‐
ing system writes audit records. When the "current" trail grows to
either its AuditFileSwitch (AFS) size or its FileSpaceSwitch (FSS) size
(see audomon(1M)), the auditing system switches to write to the "next"
audit trail.
The auditing system switches audit trails by setting the "current"
trail designation to the "next" trail and setting the new "next" trail
to NULL. If the "next" trail is not specified, the auditing system
creates a new trail with the same base name but with a different time‐
stamp extension. Then the auditing system begins recording to the new
trail. For more details about the next trail name, refer to the option
explanation in the section in this manpage.
The auditing system can also run an external command after a successful
audit trail switch. See audomon(1M) for details.
On a single system, the "current" and "next" trails can reside anywhere
on the same or different file systems. The directory is the default
location for audit trails.
When invoked without arguments, displays the status of the auditing
system. This status includes the following information:
· Description as to whether auditing is on or off.
· The names of the "current" and "next" audit trails.
· A table listing the following size and space information:
· The switch sizes of the audit trails.
· The sizes of the file systems on which the audit trails
are located.
· The space available expressed as a percentage of the
switch sizes and file system sizes.
Options
recognizes the following options:
Specify the file or directory which will be the "current" audit
trail.
The existing "current" trail, if any, will be
replaced by the trail specified, and the auditing
system will immediately switch to the new "cur‐
rent" trail.
If the number of audit files specified by the
option, is greater than or equal to 1 (regular
mode), a directory will be created with the "cur‐
rent" trail name and the audit trail files will
be stored in this directory. The specified file
or directory must be empty or nonexistent, unless
it is the "current" or "next" trail already in
use by the auditing system.
The and options must be specified together.
Turn off the auditing system.
The and options are mutually exclusive. Other
options specified with are ignored.
Turn on the auditing system.
The system uses existing "current" and "next"
audit trails unless other trails are specified
with the and options. If no "current" audit
trail exists (for example, when the auditing sys‐
tem is first installed), it can be specified with
the option.
Specify the number of active files that comprise an audit trail.
The auditing system will use one or more writer
threads to log data into these files. Each
writer thread will write to one file. If the
option is not specified in the current command,
then the previous setting for num will be used.
If there is no previous setting, num will be set
to 1. If num is greater than or equal to 1 (reg‐
ular mode), then the audit trail files are named
in this format: to The audit trail files are cre‐
ated in the directory specified with the option.
For example, if num is 3, then files named and
are created.
If num is 0 (compatibility mode), then the audit
trail will be a file with the name specified by
the option.
Use the option with the option to turn on audit‐
ing. Use the option by itself (that is, no other
options are specified) to change the number of
active files when the auditing system is running
in regular mode.
The recommended value for num is approximately
the number of processors on the system divided by
two.
Specify cafs, the "current" trail's AuditFileSwitch (AFS)
size (in Kbytes).
The and options must be specified together.
Specify the file or directory which will be the "next" audit
trail.
Any existing "next" trail is replaced by the
trail specified. The specified trail must be
empty or nonexistent, unless it is the "current"
or "next" trail already in use by the auditing
system.
The and options must be specified together.
The option is supported solely for backward com‐
patibility and will be obsoleted in any future
releases after HP-UX 11i Version 3.
If the "next" audit trail is not specified by the
option, the auditing system will take the "cur‐
rent" audit trail's base name with a different
timestamp extension as the "next" audit trail.
The name of the "next" audit trail will be deter‐
mined at the next switch point. See audomon(1M)
for more details.
Note: The auditing system modifies the specified
audit trail name in the following situation:
· The current audit trail name ends with the
12 digits in format where yyyymmdd and
HHMM are all digits and not necessarily a
timestamp.
· The next audit trail is not configured.
That is, the option is not specified.
The audit trail name change occurs when audit
file switch actually happens. The dot and under‐
score are still part of the audit trail name.
For example, the auditing system will change to
Specify xafs, the "next" trail's AuditFileSwitch (AFS)
size (in Kbytes).
The and options must be specified together.
If is specified without only the "current" audit file is changed; the
existing "next" audit file remains.
If is specified without only the "next" audit trail is changed; the
existing "current" audit trail remains.
The option can be used to manually switch from the "current" to the
"next" trail by specifying the "next" trail as the new "current" trail.
In this case, the trail specified becomes the new "current" trail and
the "next" trail is set to NULL.
In instances where no "next" trail is desired, the option can be used
to set the "next" trail to NULL by specifying the existing "current"
trail as the new "next" trail. In this case, the auditing system will
create a new trail with the "current" trail's base name but with a dif‐
ferent timestamp extension as the "next" trail.
The user must be careful to select audit trails that reside on file
systems large enough to accommodate the AuditFileSwitch (AFS) desired.
returns a non-zero status and no action is performed if any of the fol‐
lowing situations occur:
· The AuditFileSwitch (AFS) size specified for either audit
trail exceeds the space available on the file system where
the trail resides.
· The AFS size specified for either audit trail is less than
the trail's current size.
· The audit trail resides on a file system with no remaining
user space (exceeds minfree, see the option in tunefs(1M)).
EXAMPLES
Example 1:
Turn on the auditing system and start recording data to using 2 writer
threads. Also set the AuditFileSwitch (AFS) size to 1000 Kbytes. The
specifies that the audit trail will be a directory with two files, and
Because the AuditFileSwitch (AFS) size is set to 1000 Kbytes, the
auditing system is going to monitor the growth of in size (see also
audomon(1M)). When the size has reached approximately 1000 Kbytes, the
auditing system will try to switch recording data to the following
file:
where is replaced by the time and date when the switch occurred.
Example 2:
Turn off the auditing system.
The option causes any buffered data to be written out to the current
audit trail. And the auditing system will stop recording any data
after that.
Example 3:
Turn on the auditing system in compatibility mode.
This example is the same as Example 1 except that will be present on
the file system as a regular file instead of a directory because is
specified.
WARNINGS
Compatibility mode and the option are solely supported for backward
compatibility and will be obsoleted in any future releases after HP-UX
11i Version 3.
All modifications made to the audit system are lost upon reboot. To
make the changes permanent, set and in
A user process will be blocked in the kernel if all of the following
events occur:
· The file system containing the current audit trail is full.
· If the "next" audit trail is specified, the file system containing
this audit trail is full.
· The user process makes an auditable system call or generates an
auditable event.
A user process will also be blocked in the kernel if both of these
events occur:
· The pre-allocated kernel audit data buffer is full.
· The user process makes an auditable system call or generates an
auditable event.
In order to recover from the resulting deadlock, it will be necessary
to kill the session leader of the console so that the administrator can
login. For this reason sensitive applications must not be run as ses‐
sion leaders on the console.
AUTHOR
was developed by HP.
SEE ALSOaudomon(1M), tunefs (1M), audctl(2), audwrite(2), setsid(2), audit(5).
audsys(1M)