Summary of auditable events and classes

Table of auditable events

In the following table each entry consists of:

NOTE: An event is applicable only if the system software configuration supports the stated system call or command. Some events may not be applicable because they are supported in earlier releases, but not the current release. However, non-applicable events are reserved to allow release compatibility.

The fixed events are listed first, followed by the selectable events.

Fixed events

Event Description System call/command
add_grp add a group groupadd(ADM)
add_usr add a user useradd(ADM)
add_usr_grp add group members useradd(ADM), usermod(ADM)
audit_buf set audit buffer attributes auditbuf(S)
audit_ctl enable/disable auditing auditoff(ADM), auditon(ADM), auditctl(S)
audit_dmp record auditdmp failures auditdmp(S)
audit_evt set auditable events auditset(ADM), auditevt(S)
audit_log set log file attributes auditlog(ADM), auditlog(S)
audit_map create audit map files auditmap(ADM)
date change the date adjtime(2), stime(S)
init change init states init(ADM)
mod_grp modify group information groupmod(ADM)
mod_usr modify user information usermod(ADM)
dev_audit write audit records to legacy audit device dlvr_audit(ADM)

Selectable events

Event Description System call/command
all All selectable events  
none No selectable events  
access determine accessibility of a file access(S)
acct_off disable accounting acct(S)
acct_on enable accounting acct(S)
acct_sw switch accounting files acct(S)
bad_auth bad login name or password login(1)
bad_lvl bad login level login(1)
cancel_job cancellation of lp job cancel(1), lpsched(ADM)
chg_dir change working directory chdir(2), UNRESOLVED XREF-0 fchdir(2)
chg_nm change name of a file rename(S)
chg_root change root directory chroot(S)
chg_times change file access times utime(S)
cov_chan_1 record use of covert channel NA
cov_chan_2 record use of covert channel NA
cov_chan_3 unused but reserved  
cov_chan_4 unused but reserved  
cov_chan_5 unused but reserved  
cov_chan_6 unused but reserved  
cov_chan_7 unused but reserved  
cov_chan_8 unused but reserved  
create create a new filesystem object creat(S)
cron cron job cron(ADM)
dac_mode change mode of an object chmod(2), UNRESOLVED XREF-0 fchmod(2)
dac_own_grp change owner or group of object chown(2), UNRESOLVED XREF-0 fchown(2), UNRESOLVED XREF-0 lchown(2), chgrp(1)
def_lvl change a user's default level login(1)
exec execute an object exec(S)
exit terminate a process exit(S)
fcntl file control fcntl(S)
fd_acl change the access control lists via file descriptor facl(S)
file_acl change the access control lists acl(S)
file_priv change privileges of a file filepriv(S)
fork create a new process fork(2), vfork(S)

iocntl I/O control ioctl(S)
ipc_acl change IPC access control lists aclipc(S)
keyctl enable special features keyctl(S)
kill post a signal kill(2), UNRESOLVED XREF-0 sigsendset(2)
link create a link to an object link(S)
login use of a login schema login(1)
logoff terminate a login session exit(S)
lp_admin administrative use of LP lpadmin(ADM)
lp_misc miscellaneous use of LP lpsched(ADM)
lwp_bind bind LWP to processor processor_bind(2), processor_exbind(S)
lwp_create create lightweight process fork(S)
lwp_unbind unbind LWP from processor processor_bind(S)
misc miscellaneous application records auditdmp(S)
mk_dir make a directory mkdir(S)
mk_node make a special file mknod(S)
mount mount a device or filesystem mount(S)
modpath modify module search path modpath(S)
modadm register a module modadmin(ADM)
modload load a module modload(S)
moduload unload a module moduload(S)
msg_ctl message control operations msgctl(S)
msg_get get message queue msgget(S)
msg_op message operations msgop(S)
open_rd open an object for reading open(S)
open_wr open an object for writing open(S)
p_online bring processor on/offline p_online(S)
page_lvl printer does not support per-page label lp(1)
passwd change password passwd(1)

pipe create a pipe pipe(S)
pm_denied failed attempt to use privileges NA
prt_job start/end of printer job lp(1)
prt_lvl override output label lp(1)
recvfd receive file descriptor NA
rm_dir remove a directory rmdir(S)
sched_lk lock a process into memory plock(2), memcntl(S)
sched_rt real time scheduler operations priocntl(S)
sched_ts time sharing scheduler operations priocntl(S)
sem_ctl semaphore control operations semctl(S)
sem_get get the set of semaphores semget(S)
sem_op semaphore operations semop(S)
set_gid change group ID UNRESOLVED XREF-0 setgid(2)
set_grps set multiple groups UNRESOLVED XREF-0 setgroups(2)
set_pgrps set process groups setpgrp(S)
set_sid set session ID setsid(S)
set_uid change user ID setuid(S)
setrlimit set resource limits setrlimit(S)
shm_ctl shared memory control operations shmctl(S)
shm_get get shared memory identifier shmget(S)
shm_op shared memory operations shmop(S)
status get file status stat(2), fstat(S)
sym_create create a symbolic link symlink(S)
sym_status get status of symbolic link lstat(S)
tfadmin administrative commands tfadmin(ADM)
trunc_lvl truncate a printed level lp(1)
ulimit resource limits ulimit(S)
umount unmount a device or filesystem umount(S)
unlink unlink an object unlink(S)
chg_priv legacy system call chpriv(S-osr5)
set_luid legacy system call setluid(S-osr5)
stop_io legacy system call stopio(S-osr5)

Next topic: Table of auditable event classes
Previous topic: Summary of auditable events and classes

© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005