HP UX Auditing System Extensions manual System calls, Daemons, Files

Page 4

userdbset(1M) — Modifies the per-user AUDIT_FLAG attribute stored in the userdb(4) database.

audisp(1M) — Analyzes and displays the audit information contained in the specified audit trails.

For more information, see the corresponding manpages.

System calls

audswitch(2) — Invoked by privileged programs to temporarily suspend or resume auditing on the current process; it affects only the current process. This call cannot suspend auditing for processes created by the current process with the exec system call.

audwrite(2) — Invoked by privileged self-auditing processes to generate higher-level audit records of their own. These self-auditing processes are capable of turning off the generation of low- level (system call level) audit records using the audswitch(2) system call and turning it back on after invoking audwrite(2) to generate a higher-level audit record.

getaudproc(2) — Invoked by privileged programs to determine whether the calling process is audited or not.

setaudproc(2) — Invoked by privileged programs to audit a process or not. For example, login(1) invokes setaudproc(2) to audit or not audit a login process and all its descendents for a new login session, depending on the value of the per-user or per-system AUDIT_FLAG attribute in userdb(4) or security(4) configuration files, respectively.

Daemons

audomon(1M) — User space daemon that monitors the capacity of the current audit trail (Primary Audit Trail) and the file system on which the audit trail is located. You can configure audomon to automatically switch to a Secondary Audit Trail when certain capacity limits are met. You can also configure the daemon to run a specified script after each successful switch to perform various operations on the last audit trail, such as running a script to copy the last audit trail to a remote system. For an example, see audomon(1M).

Audit daemon — A kernel daemon that collects audit records and periodically writes the records to the disk. On HP-UX 11i v2, the audit daemon is single threaded. On 11i v3, the audit daemon is multi-threaded to improve performance by writing audit data into multiple audit trail files simultaneously.

Files

audit.conf(4), audit_site.conf(4) — Files containing event mapping information and site-specific event mapping information, respectively. The audevent(1M) and audisp(1M) commands use these files.

Audit trail — Audit records are collected in audit files as audit trails in binary format and are compressed to save disk space. On HP-UX 11i v2, the audit trail is a single file. On HP-UX 11i v3, HP-UX Auditing System is capable of using more than one writer thread to log data to minimize the impact of audit on system performance. Each writer thread writes to one file, allowing an audit trail to be written in parallel by multiple kernel threads and potentially increasing the throughput of the system. As a result, an audit trail is present on the file system as a directory with multiple audit files in it.

userdb(4) — The user database that contains the per-user AUDIT_FLAG attribute for controlling whether a particular user is audited.

security(4) — The security defaults configuration file that contains the per-system AUDIT_FLAG attribute. This is the default AUDIT_FLAG attribute for those users that do not have a AUDIT_FLAG attribute set in userdb(4).

4

Page 3 Page 5
Image 4
Page 3 Page 5
Contents Configuring and Managing the Auditing System HP-UX 11i v2 and 11i v3 SecurityAudience IntroductionAuditing system overview CommandsArchitecture Daemons System callsFiles Audit trail Audit tagsAudit events Version records System call table recordsPID identification records System call audit recordsAudit tunable parameters HP-UX 11i v3 only Self-auditing programsAudit aware Page Newgrp1 modaccess Setfilexsec1M modaccess Could not lock file Executing login pid = pid. ipcopen Networking service = ftpAudit unaware Remote user Usernameunspecified Local SystemDynamically Linked Kernel Modules Auditing system extensions HP-UX 11i v3 onlyAudit Filtering Installation HP-UX Auditing System AdministrationAudit Reporting Configuring users for audit ConfigurationUserdbset command. See userdbset1M and userdb4 Configuring audit filtering Configuring events for auditConfiguring audit settings to be preserved across reboots Configuring roles Role, operation, objectReads the /etc/rc.config.d/auditing file ManagementEnabling auditing Disabling auditingWriting a Dpms service module Service Provider Interfaces SPIsDpms service module implementation Best practicesAudit policy Audit generation and captureAudit retention and storage Audit log analysisAudit log configuration, security, and protection TroubleshootingOpt/audit/AudReport/bin Page Glossary Audwrite2Page For more information Send comments to HP
Top Page Image Contents