In early March, I wrote:
> We would like to enable auditing for a specific set of files on a
> Digital Unix 4.0, Patch Kit 5 system.
>
> We can successfully turn on auditing, and audit the "object access"
> class of events, and get overwhelmed by data.
>
> If, instead, we set the auditmask style to "object selection", and then
> enable particular objects, we get nothing.
>
> The auditmask command confirms that object selection is on,
> and the auditmask -q "object" command confirms that object
> selection is on for the object. But test object accesses
> produce no audit data whatsoever, even after an "audit -d"
> to make sure the audit daemon's buffer is flushed.
>
> What am I missing?
I receive no answers from the list.
I did pursue this with Digital Support.
The first problem was that, even if one turns on object selection, one must
set the auditmask to the events one wishes to audit. However, once
that is done, we still get flooded with audit.
Dec's analysis of the problem is that auditing will record all
accesses to non-existent files as well as all file creations, even if
object selection is enabled.
- Saul
Received on Thu Apr 23 1998 - 23:35:56 NZST