Auditable events

Auditable events

An auditable event represents a single action (either a command or system call) that may affect the security of the system. There are two classifications of events: fixed and selectable.

Events may be selected for auditing either before or after auditing is enabled. If you add or delete events for auditing with auditset, the changes take effect immediately. If you use the useradd or usermod commands, to change the events recorded for a user, the changes take effect the next time the user logs in and there are no processes owned by that user already on the system. If processes owned by the user already exist, the new processes will use the same user mask as the existing processes.

Events are triggered either by certain system calls or by selected user-level processes (for example, passwd). The majority of user-level commands are not audited directly. Instead, an audit record is generated each time the command executes a system call corresponding to an auditable event. For example, the ls command may trigger the open_rd, fcntl, status, access, iocntl, pm_denied, or sym_status events.

Event classes are a collection of related event types. Rather than specifying a long list of events, you can specify one or two event types. The auditing subsystem recognizes several predefined event types, and you may create others as desired.

This chapter describes all the auditable events and the predefined event classes. For many of the selectable events, there is a brief description of the types of security problems you are likely to detect if the events are audited. Because many events correspond to system calls, the actions of commands that provide normal user services, such as opening a file for an editor, will be recorded. Thus, many events only provide background information about the usage of your system unless there are unusual patterns of actions.

Next topic: Auditable event data types

© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005