Auditable events

System administration events

The following events are triggered by commands or system calls that require privileges and are usually executed only by administrators.

Privileged events

The events represented here are triggered by commands or system calls that administrators use in the normal course of daily operations. These events require privilege, and therefore should only be executed by administrators. In particular, frequent or unusual appearances of the pm_denied event, which indicates a failed operation due to lack of required privilege, could indicate an attempt to subvert system security.

Privileged events

Event Description Manual page Object audit
acct_off disable accounting acct(S) N
acct_on enable accounting acct(S) N
acct_sw switch accounting files acct(S) N
file_priv change privileges on a file filepriv(S) Y
lp_admin administrative use of lp system lpadmin(ADM) N
mk_node make a special file mknod(S) Y
mount mount a device or filesystem mount(S) Y
pm_denied failed use of privilege NA N
sched_lk lock a process into memory plock(2), memcntl(S) N
sched_rt real time scheduler operations priocntl(S) N
sched_fp fixed priority scheduler operations priocntl(S) N
sched_fc fixed class scheduler operations priocntl(S) N
sched_ts time-sharing scheduler operations priocntl(S) N
setrlimit set resource limits UNRESOLVED XREF-0 setrlimit(S) N
tfadmin administrative command tfadmin(ADM) N
ulimit resource limits ulimit(S) N
umount unmount a device or filesystem umount(S) Y

Next topic: Line printer system events
Previous topic: Path change events

© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005