HP UX Auditing System Extensions manual Glossary, Audwrite2

Page 24

Glossary

Audit Aware Programs

Privileged programs that invoke either the audswitch system call to suspend system call auditing or the audwrite system call to generate self-auditing events. Audit aware programs are also called self-auditing programs.

Audit Event

Also called an Audit Record. An event is an instance of a subject accessing an object. For example, a process opening a file or a user logging into a system. Audit records are generated when users make security-relevant system calls and when self-auditing processes call

audwrite(2).

Audit File

A file that stores audit records in binary format.

Audit Process Identifier (PID) Information Record (PIR)

An audit record written into the audit trail once for each process, containing information that remains constant throughout the lifetime of the process.

Audit Tag

A unique audit session ID that uniquely identifies (or tags) all audit records generated for a particular login session.

Audit Trail

All pieces of audit files that together store audit records in chronological order and provide a complete information trail for displaying or analysis.

On HP-UX 11i v2, an audit trail is a single audit file. On HP-UX 11i v3, an audit trail is composed of one or more audit files.

Base Event

A particular system operation that is audited and pre-defined by the HP-UX operating system. This is either a self-auditing event (for example, login) or a system call (for example, open).

Event Category

A set of base events that affect a particular aspect of the system (for example, the creation of an object, such as a file, directory, special device file, and IPC object.)

Filtering

Any one of the following types of audit filtering:

System call pre-filtering — Filtering of system call and self-audit events in the kernel based on process (user) and event selection flags, and performed before the system call specific code executes.

System call post-filtering — Filtering of system call events in the kernel based on the success or failure of system call, and performed after the system call specific code executes.

24

Page 23 Page 25
Image 24
Page 23 Page 25
Contents Configuring and Managing the Auditing System HP-UX 11i v2 and 11i v3 SecurityAudience IntroductionCommands Auditing system overviewArchitecture System calls DaemonsFiles Audit tags Audit trailAudit events Version records System call table recordsPID identification records System call audit recordsAudit tunable parameters HP-UX 11i v3 only Self-auditing programsAudit aware Page Newgrp1 modaccess Setfilexsec1M modaccess Could not lock file Executing login pid = pid. ipcopen Networking service = ftpAudit unaware Remote user Usernameunspecified Local SystemAuditing system extensions HP-UX 11i v3 only Dynamically Linked Kernel ModulesAudit Filtering HP-UX Auditing System Administration InstallationAudit Reporting Configuration Configuring users for auditUserdbset command. See userdbset1M and userdb4 Configuring events for audit Configuring audit filteringConfiguring audit settings to be preserved across reboots Configuring roles Role, operation, objectReads the /etc/rc.config.d/auditing file ManagementEnabling auditing Disabling auditingWriting a Dpms service module Service Provider Interfaces SPIsDpms service module implementation Best practicesAudit policy Audit generation and captureAudit retention and storage Audit log analysisTroubleshooting Audit log configuration, security, and protectionOpt/audit/AudReport/bin Page Glossary Audwrite2Page For more information Send comments to HP
Top Page Image Contents