audit(1M) audit(1M) NAME audit - system audit trail startup and shutdown script SYNOPSIS /etc/init.d/audit [ start | stop ] DESCRIPTION The audit shell script is called during system startup from /etc/rc2 to start the system audit trail daemon, satd(1M), and enable auditing of predefined audit events (using sat_select(1M)). The script is called during system shutdown from /etc/rc0 to kill the daemon gracefully and disable auditing. Note that, as installed, auditing is off by default and must be enabled as described in configuration flags, below. In addition, once auditing has been enabled via chkconfig(1M), the system should be rebooted to enable auditing from system startup. At a minimum, /etc/init.d/audit start must be executed by root before any auditing actually takes place. When called with the start argument, the audit script does the following (provided that auditing has been enabled): + Looks for any "emergency files" (see satd(1M)) and issues a warning if it finds any. + Ensures that satd and sat_select are executable. + Starts the audit daemon, satd. + Enables auditing of predefined audit events. When called with the stop argument, the audit script gracefully terminates the sat daemon and disables auditing of all events. CONFIGURATION FLAGS The audit subsystem is enabled if its configuration flag in the /etc/config directory is in the on state. The configuration flag file for auditing is /etc/config/audit. If a flag file is missing, the flag is considered off. Use the chkconfig(1M) command to turn a flag on or off. For example, chkconfig audit on enables auditing. When invoked without arguments, chkconfig prints the state of all known flags. There is a special flag, verbose. The verbose flag controls the printing of the names of daemons as they are started. OPTIONS FILES Site-dependent options for satd and sat_select belong in options files in /etc/config. The option file for satd is satd.options. The options file for sat_select events is sat_select.options. The options files for selecting subject user, group or label events are sat_select.subject.user, sat_select.subject.group and sat_select.subject.mac. The options files for selecting object user, group or label events are sat_select.object.user, sat_select.object.group and sat_select.object.mac. These files contain options that their respective commands will be run with to override the defaults. To add filters to the satd command line invoked by the audit shell script, place the filter command lines into /etc/config in files with names that begin with satd.filter. If any of these files are found, the output of satd is piped to them in the order that they are found using ls. For more information, see audit_filters(5). See the document IRIX Admin: Backup, Security, and Accounting and satd(1M) for details on valid options. Note that if audit filters are used, it may be necessary for the audit script to pause for several seconds to allow satd to completely initialize the audit system before any events can be enabled. The default delay in this case is 2 seconds. To override this delay, for example in the case where a particular audit filter takes some additional time to start up, place the delay time (in seconds) in the file /etc/config/satd.delay. FILES /etc/init.d/audit /etc/rc0.d/K40audit linked to /etc/init.d/audit /etc/rc2.d/S30audit linked to /etc/init.d/audit /etc/config configuration flags and options files SEE ALSO rc0(1M), rc2(1M), sat_echo(1M), sat_interpret(1M), sat_reduce(1M), sat_select(1M), sat_summarize(1M), satconfig(1M), satd(1M), audit_filters(5). IRIX Admin: Backup, Security, and Accounting. Page 2