|
|
The auditmap command generates the audit map files. The audit map files contain system dependent information used by the auditrpt command to translate numeric data contained in the log file. Numeric data is recorded in the log file to minimize its size and to reduce processing overhead at recording time.
The auditrpt command will use the audit map files to translate users, groups, privileges, events and system calls from numbers to names. If the audit map files are not available or the information contained within does not allow for a translation, auditrpt will display the ASCII representation of the numeric data. For example, if the audit map files do not contain information for user ID 9424, auditrpt displays the number 9424 instead of the user name in its output. Without the audit map files the output of auditrpt is hard to read and interpret.
By default, the audit map files reside in the directory /var/audit/auditmap. The audit map files are as follows:
The auditmap command is automatically invoked whenever auditing is enabled. If the audit map file(s) already exist they will be renamed by prefixing with an ``o''. The new audit map files will then be created.
The
-m
option of the
auditmap
command allows the administrator to specify a directory where the audit map files
will reside.
For example, if you want to create the audit map files
in the directory
/etc/audit/auditmap,
enter the following command:
auditmap -m /etc/audit/auditmap