Auditable events

Fixed events

Fixed events are always audited when auditing is enabled and cannot be altered. Therefore, when auditing is enabled, the system-wide event mask will always contain the fixed events. The fixed events, which are intentionally limited to a subset of all auditable events, include

The fixed events represent actions that must be recorded to ensure the integrity and accuracy of the data in the audit event log file. Recording only the fixed events will not give you a complete record of all actions that affect system security.

For each event, the following table lists the event, a brief description of the event, the name of the command or system call that triggers the event, and an indication if the event may be used for object level auditing.

Fixed events

Event Description Manual page Object audit
add_grp adding groups groupadd(ADM) N
add_usr adding user attributes useradd(ADM) N
add_usr_grp adding group members useradd(ADM), usermod(ADM) N
audit_buf set audit buffer attributes auditbuf(S) N
audit_ctl enable or disable auditing auditoff(ADM), auditon(ADM), auditctl(S) N
audit_dmp auditdmp failures auditdmp(S) N
audit_evt set auditable events auditset(ADM), auditevt(S) N
audit_log set log file attributes auditlog(ADM), auditlog(S) N
audit_map create audit map file auditmap(ADM) N
date change the date adjtime(2), stime(2), settimeofday(S) N
init change of init state init(ADM) N
mod_grp change group information groupmod(ADM) N
mod_usr change user information usermod(ADM) N

The audit_buf, audit_ctl, audit_dmp, audit_evt, audit_log, and audit_map events are recorded to ensure that you can always verify the state of the auditing subsystem and the correctness of the log file. The date of an event is an important part of the audit record. Therefore, all changes to the system date (the date event) are recorded to ensure the integrity of the audit records. The add_grp, add_usr, add_usr_grp, mod_grp, and mod_usr events are recorded to ensure that you can always verify the accuracy of the user and group attributes recorded in the audit event log file.

If any of the user or group information changes on the system, the auditor should execute the auditmap command to create new audit map files. However, please note that any modification to the audit map files may result in failure to translate previously recorded audit data. Therefore, you should complete processing of previously recorded data before altering the audit map files.

An audit record generated by a fixed event will always contain the ``common'' data. Fixed events do not involve objects; therefore, no ``object'' data is recorded. auditrpt(ADM) contains a description of the ``unique'' data recorded for each fixed event.

Next topic: Selectable events
Previous topic: Object data for auditable events

© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005