audit - HP-UX

· Home

+ man pages

-> Linux

-> FreeBSD

-> OpenBSD

-> NetBSD

-> Tru64 Unix

-> HP-UX 11i

-> IRIX

· Linux HOWTOs

· FreeBSD Tips

· *niX Forums

man pages->HP-UX 11i man pages -> audit (5)


 audit(5)                                                           audit(5)




 NAME    [Toc]    [Back]
      audit - introduction to HP-UX Auditing System

 SYNOPSIS    [Toc]    [Back]
      #include <sys/audit.h>

 DESCRIPTION    [Toc]    [Back]
      The purpose of the auditing system is to record instances of access by
      subjects to objects and to allow detection of any (repeated) attempts
      to bypass the protection mechanism and any misuses of privileges, thus
      acting as a deterrent against system abuses and exposing potential
      security weaknesses in the system.

    User and Event Selection    [Toc]    [Back]
      The auditing system provides administrators with a mechanism to select
      users and activities to be audited.  Users are assigned unique
      identifiers called audit ids by the administrator which remain
      unchanged throughout a user's history.  The audusr(1M) command is used
      to specify those users who are to be audited.  The audevent(1M)
      command is used to specify system activities (auditable events) that
      are to be audited.  Auditable events are classified into several
      categories.  An event category consists of a set of operations that
      affect a particular aspect of the system.  For an event category list,
      see audevent(1M).

    Self-auditing Programs    [Toc]    [Back]
      To reduce the amount of log data and to provide a higher-level
      recording of some typical system operations, a collection of
      privileged programs are given capabilities to perform self-auditing.
      This means that the programs can suspend the currently specified
      auditing on themselves and produce a high-level description of the
      operations they perform.  These self-auditing programs include: at(1),
      chfn(1), chsh(1), crontab(1), login(1), newgrp(1), passwd(1),
      audevent(1M), audisp(1M), audsys(1M), audusr(1M), cron(1M),
      groupadd(1M), groupdel(1M), groupmod(1M), init(1M), lpsched(1M),
      sam(1M), useradd(1M), userdel(1M), and usermod(1M).

           Note: Only privileged programs are allowed to do self-auditing.
           The audit suspension they perform only affects these programs and
           does not affect any other processes on the system.

      Most of these commands generate audit data under a single event
      category.  For example, sam(1M) generates the audit data under the
      event admin.  Other commands may generate data under multiple event
      categories.  For example, init(1M) generates data under the events
      login and admin.

    Viewing of Audited Data    [Toc]    [Back]
      The audisp(1M) command is used to view audited data recorded in log
      files.  audisp(1M) merges the log files into a single audit trail in
      chronological sequence.  The administrator can select viewing criteria



 Hewlett-Packard Company            - 1 -   HP-UX 11i Version 2: August 2003






 audit(5)                                                           audit(5)




      provided by audisp(1M) to limit the search to particular kinds of
      events which the administrator is interested in investigating.

    Monitoring the Auditing System    [Toc]    [Back]
      To ensure that the auditing system operates normally and that any
      abnormal behaviors are detected, a privileged daemon program,
      audomon(1M), runs in the background to monitor various auditing system
      parameters.  When these parameters take on abnormal (dangerous)
      values, or when components of the auditing system are accidentally
      removed, audomon(1M) prints warning messages and tries to resolve the
      problem if possible.

    Starting and Halting the Auditing System    [Toc]    [Back]
      The administrator can use the audsys(1M) command to start or halt the
      auditing system, or to get a brief summary of the status of the audit
      system.  Prior to starting the auditing system, audsys(1M) also
      validates the parameters specified, and ensures that the auditing
      system is in a safe and consistent state.

    Audit Log Files    [Toc]    [Back]
      At any time when the auditing system is enabled, at least an audit log
      file must be present, and another back-up log file is highly
      recommended.  Both of these files (along with various attributes for
      these files) can be specified using audsys(1M).  When the current log
      file exceeds a pre-specified size, or when the auditing file system is
      dangerously full, the system automatically switches to the back-up
      file if possible.  If a back-up log file is not available, warning
      messages are sent to request appropriate administrator action.

 AUTHOR    [Toc]    [Back]
      The auditing system described above was developed by HP.

 SEE ALSO    [Toc]    [Back]
      audsys(1M), audusr(1M), audevent(1M), audisp(1M), audctl(2),
      audswitch(2), audwrite(2), getaudid(2), getevent(2), setaudid(2),
      setevent(2), audit(4).


 Hewlett-Packard Company            - 2 -   HP-UX 11i Version 2: August 2003

[ Back ]

Similar pages

Name	OS	Title
satd	IRIX	system auditing file format.
audctl	HP-UX	start or halt the auditing system and set or get audit files
audsys	HP-UX	start or halt the auditing system and set or display audit file information
audit	HP-UX	file format and other information for auditing
audswitch	HP-UX	suspend or resume auditing on the current process
audwrite	HP-UX	write an audit record for a self-auditing process
intro	Linux	Introduction to system calls
intro	NetBSD	introduction to the system libraries
errno	Tru64	Introduction to system calls
intro	Tru64	Introduction to system calls

newsletter delivery service

Contents