HP-UX Containers (SRP) A.03.01 Administrator's Guide
78
Once auditing is configured, all audit records generated by processes in all system containers, as
well as audit records generated by processes in the global, are written to the audit log files in the
global view.
15.3.2.2 Audit record viewing in the global view
An administrator in the global view can use the auditdp(1M) command to view audit records
generated by processes in any system container or in the global view. When viewed in the global
view, audit records generated in system containers can have incorrect mapping between user/group
IDs and names. This occurs because the ID-name mapping of an audit event is defined by the
/etc/passwd (see passwd(4)) file that is specific to the container where the event was recorded,
not by the one in the global view where the auditdp(1M) command is run. The
/opt/audit/AudReport/bin/srp_auditdp_global sample script can be used to display
audit records with correct ID-name mapping.
To view all audit records generated on the system,enter:
# auditdp –r global_log
To view audit records generated in a specific system container, enter:
# auditdp –r global_log -s “+cmpt=container_name;”
The global_log parameter is the audit log file specified by the –c option of the audsys command
when auditing is started, and the container_name parameter specifies the name of the
system container where the audit records were generated.
In the above examples, audit records generated in a system container may be displayed with
incorrect ID-name mapping. Replace auditdp with srp_auditdp_global to view audit records
with correct ID-name mapping.
15.3.2.3 Audit record viewing in system containers
Audit log files that reside in the global view are not accessible from processes running in system
containers. To view audit records in a system container, they must first be copied to log files under
the container’s filesystem view by the global administrator.
To insure that audit records generated in one system container are not copied to the log files under
the filesystem view of another system container, use the
/opt/audit/AudReport/bin/srp_auditdp_copy sample script.
To copy audit records generated in all system containers, enter:
# srp_auditdp_copy –r global_log –R local_log
To copy audit records generated in a specific container, enter:
# srp_auditdp_copy –r global_log –R local_log –C container_name
The global_log parameter is the audit log file specified by the –c option of the audsys command
when auditing is started, the local_log parameter is the pathname of the target audit log file
relative to container’s root directory, and the container_name is the name of the system container
where the audit records were generated. Each system container will only receive those audit records
that were generated in that container.
Once audit records are copied, an administrator in a system container can use the auditdp
command or the srp_auditdp_global script to view the audit records generated in the container.