HP UX Auditing System Extensions manual Audit aware

Page 8

The list and information is incomplete and might change in the future.

Audit aware

Most self-auditing programs are audit aware. They can suspend the currently specified low-level system call auditing on themselves by invoking the audswitch(2) system call and can produce a high-level description of the operations they perform by invoking the audwrite(2) system call to generate self-auditing events. The audit suspension they perform only affects these programs and does not affect any other processes on the system. The list of audit aware programs is as follows:

audevent(1M) (admin)

audevent: getting event and syscall status

audevent: [disableenable] [successfailure] for [eventsyscall] name

audisp(1M) (admin)

audisp : argv1 argvn (for various error conditions)

auditdp(1M) (admin) auditdp: argv1 … argvn auditdp: invalid command line

auditdp: audit_dpms_write_nevent(3) failed

auditdp: audit_dpms_read_event(3) failed

auditdp: data has been successfully processed

audfilter(1M) (admin) audfilter: argv1 argvn

audfilter: User is not authorized to run audfilter

audfilter: Invalid command line options

audfilter: Daemon is not started yet

audfilter: Request to kill daemon [failedsucceeded]

audfilter: Request to load audit filtering rules [failedsucceeded]

audfilter: Request to clear audit filtering rules [failedsucceeded]

audfilter: Request to display audit filtering rules [failedsucceeded]

audfilter: Request to display audit filtering rules in preview mode [failedsucceeded]

audfilter: Request to display daemon status [failedsucceeded]

audfilter: Request to change daemon’s wakeup period [failedsucceeded]

audfilterd(1M) (admin) audfilterd: argv1 argvn

audfilterd: User is not authorized to run audfilterd

audfilterd: Failed to raise necessary privileges for audfilterd

audfilterd: Failed to access the configuration file /etc/audit/filter.conf

audfilterd: Invalid command line options

audfilterd: Invalid wakeup period

audfilterd: Daemon is already running

audfilterd: Daemon status displayed

audfilterd: Failed to install signal handler

audfilterd: Failed to start the server

audfilterd: Failed to fork as a background process: error message

audomon(1M) (admin)

audomon: FreeSpaceSwitch point reached, audomon has successfully switched auditing to pathname of new audit trail

audomon: AuditFileSwitch point reached, audomon has successfully switched auditing to pathname of new audit trail

8

Page 7 Page 9
Image 8
Page 7 Page 9
Contents Configuring and Managing the Auditing System HP-UX 11i v2 and 11i v3 SecurityAudience IntroductionArchitecture CommandsAuditing system overview Files System callsDaemons Audit events Audit tagsAudit trail Version records System call table recordsPID identification records System call audit recordsAudit tunable parameters HP-UX 11i v3 only Self-auditing programsAudit aware Page Newgrp1 modaccess Setfilexsec1M modaccess Could not lock file Executing login pid = pid. ipcopen Networking service = ftpAudit unaware Remote user Usernameunspecified Local SystemAudit Filtering Auditing system extensions HP-UX 11i v3 onlyDynamically Linked Kernel Modules Audit Reporting HP-UX Auditing System AdministrationInstallation Userdbset command. See userdbset1M and userdb4 ConfigurationConfiguring users for audit Configuring audit settings to be preserved across reboots Configuring events for auditConfiguring audit filtering Configuring roles Role, operation, objectReads the /etc/rc.config.d/auditing file ManagementEnabling auditing Disabling auditingWriting a Dpms service module Service Provider Interfaces SPIsDpms service module implementation Best practicesAudit policy Audit generation and captureAudit retention and storage Audit log analysisOpt/audit/AudReport/bin TroubleshootingAudit log configuration, security, and protection Page Glossary Audwrite2Page For more information Send comments to HP
Top Page Image Contents