White Paper
23
The inetd daemon honors the AUDIT_FLAG only for the user under whom the service is run when
inetd is started with the –a option. Self-audit login and logoff events are generated regardless of
the inetd –a option and whether the user is enabled or disabled for auditing. Most inetd
services run as user root and disabling auditing for root is not recommended, as this results in no
system call auditing of users logged in as root.
• After upgrading AuditExt, starting Audit with audsys –n returns the failed to match audit
trail version; specify different audit trail error.
The version of the audit trail for the upgraded product is newer than the previously installed
product. You must disable auditing (audsys –f) before upgrading the AudReport product. To
proceed after receiving this error, disable auditing and then enable it to start creating an audit trail
with the latest version. The new version can include more audit data for each event, for example,
the IP address of the origin of the event, the command name of the event, and the audit session ID.
Note:
Both audisp and auditdp are capable of handling both versions of
the audit trails. Therefore, you do not need to know about the internal
format of raw audit data.
• If a system crash or reboot with the reboot -n command occurs when the audit trail is being
written, the audit trail might be corrupted.
Remove the corrupted audit trail and start the audit subsystem.