HP UX Auditing System Extensions Version records, System call table records, Self-audit records

Page 6

Where the event occurred (host name and IP address of host)

When it occurred (timestamp)

Details (for example, system call arguments and self-auditing text)

There are also audit records called version and system call table records that appear at the beginning of each audit trail, and a Process ID (PID) Identification Record for each audited process.

Each of these audit records consists of an audit record header and a record body. The record header comprises a sequence number, process ID, event type, and record body length. The sequence number gives relative order of all records; the process ID belongs to the process being audited; the event type is a field identifying the type of audited activity; the length is the record body length expressed in bytes. The record body is the variable-length component of an audit record, containing more information about the audited activity. The following sections describe each audit record type.

Version records

A version record is at the beginning of each audit trail and indicates the version of the audit subsystem. The audit record structure design might change over time, and the version record directs audit display applications how to interpret the audit trail.

System call table records

The record after the version record in an audit trail is a system call table record that contains kernel system call table information, such as what parameters or additional information are being collected for each system call. The system call table record enables user space applications that process the audit trail (for example, the audisp(1M) display tool) to determine how to interpret binary audit records at run time. This allows these applications to be decoupled from kernel changes (for example, addition of new system calls and addition of new audit information).

PID identification records

When a process is audited the first time, a PID identification record (PIR) is written into the audit trail, containing information that remains constant throughout the lifetime of the process. The PIR includes the process ID; the parent process' ID; audit tag; real user ID; real group ID; effective user ID; effective group ID; group ID list; effective, permitted, and retained privileges; compartment ID; and the terminal ID. The PIR is entered only once per process per audit trail.

System call audit records

A system call record contains system call specific audit data and is unique for each audited system call. The record contains, for example, the time the audited event completes, whether the system call ended in either success or failure, and the system call parameters. Use audevent(1M) to display the system calls that are currently being audited. On HP-UX 11i v2, use audisp(1M) to determine the associated information (for example, parameters and return values) recorded for each audited system call. On HP-UX 11i v3, use auditdp(1M) to determine the information recorded for each audited system call. The audisp and auditdp commands also report Compartments and Fine Grained Privileges (FGP) information on HP-UX 11i v2 and HP-UX 11i v3, respectively. This includes the compartment ID and effective, permitted, and retained privileges of the process.

Self-audit records

A self-auditing record contains high-level auditing data generated by self-auditing programs and Dynamically Loadable Kernel Modules (DLKMs). The record contains, for example, the time the self- auditing process invoked audwrite(2) to write the record and a high-level description of the event. For examples of self-audit records, see Self-auditing programs.

6

Page 5 Page 7
Image 6
Page 5 Page 7
Contents Configuring and Managing the Auditing System HP-UX 11i v2 and 11i v3 SecurityAudience IntroductionCommands Auditing system overviewArchitecture System calls DaemonsFiles Audit tags Audit trailAudit events PID identification records Version recordsSystem call table records System call audit recordsAudit tunable parameters HP-UX 11i v3 only Self-auditing programsAudit aware Page Newgrp1 modaccess Setfilexsec1M modaccess Could not lock file Audit unaware Executing login pid = pid. ipcopenNetworking service = ftp Remote user Usernameunspecified Local SystemAuditing system extensions HP-UX 11i v3 only Dynamically Linked Kernel ModulesAudit Filtering HP-UX Auditing System Administration InstallationAudit Reporting Configuration Configuring users for auditUserdbset command. See userdbset1M and userdb4 Configuring events for audit Configuring audit filteringConfiguring audit settings to be preserved across reboots Configuring roles Role, operation, objectEnabling auditing Reads the /etc/rc.config.d/auditing fileManagement Disabling auditingDpms service module implementation Writing a Dpms service moduleService Provider Interfaces SPIs Best practicesAudit policy Audit generation and captureAudit retention and storage Audit log analysisTroubleshooting Audit log configuration, security, and protectionOpt/audit/AudReport/bin Page Glossary Audwrite2Page For more information Send comments to HP
Top Page Image Contents