IBM 10 SP1 EAL4 Server User Manual


 
2. Processes the command line arguments.
3. Attempts to raise its resource limits.
4. Sets its umask.
5. Resets its internal counters.
6. Emits a title.
7. Processes audit records from an audit log file or stdin, incrementing counters depending on audit
record contents.
8. Prints a message and exits if there are no useful events.
9. Prints a summary report.
10. Destroys its data structures and frees memory.
11. Exits.
5.15.2.2 ausearch
Only root has the ability to run this tool. First, ausearch checks the validity of the parameters passed,
whether they are supported or not. Then, it opens either the logs or the administrator-specified files. The
log’s location is extracted from the /etc/auditd.conf. For more information on ausearch, see the
ausearch(8) man page.
After that, ausearch starts to process the records one record at a time, matching on the parameters passed to
it. Because each audit record can be written into the log as multiple file records, the tool collates all the file
records into a linked list before it checks whether the record matches the requested search criteria.
5.15.2.3 autrace
Only root can run this command. autrace executes the program passed to it after setting a filter to audit all
system calls for the new process. If any rules or watches were previously set, autrace will not run; it
requires that all rules and watches be cleared first. For more information on autrace, see the autrace(8)
man page.
5.15.3 Audit configuration files
See Section 5.6.2.1 Configuration for more detail on audit configuration files.
5.15.4 Audit logs
LAF audit logs, also known as audit trails, are the final repository of audit records generated by the kernel and
the trusted programs. An administrative user can use the ausearch on audit logs to extract and analyze
security-relevant events.
Audit logs are protected by their DAC mode, in order to protect them from unauthorized deletion or
modification.
An administrator can specify in the auditd.conf file what actions auditd should perform whenever
audit logs reach a specified size. Also, the administrator can specify what happens when writing to the audit
logs encounters an error.
212