userdbset(1M) — Modifies the per-user AUDIT_FLAG attribute stored in the userdb(4) database.

audisp(1M) — Analyzes and displays the audit information contained in the specified audit trails.

For more information, see the corresponding manpages.

System calls

audswitch(2) — Invoked by privileged programs to temporarily suspend or resume auditing on the current process; it affects only the current process. This call cannot suspend auditing for processes created by the current process with the exec system call.

audwrite(2) — Invoked by privileged self-auditing processes to generate higher-level audit records of their own. These self-auditing processes are capable of turning off the generation of low- level (system call level) audit records using the audswitch(2) system call and turning it back on after invoking audwrite(2) to generate a higher-level audit record.

getaudproc(2) — Invoked by privileged programs to determine whether the calling process is audited or not.

setaudproc(2) — Invoked by privileged programs to audit a process or not. For example, login(1) invokes setaudproc(2) to audit or not audit a login process and all its descendents for a new login session, depending on the value of the per-user or per-system AUDIT_FLAG attribute in userdb(4) or security(4) configuration files, respectively.

Daemons

audomon(1M) — User space daemon that monitors the capacity of the current audit trail (Primary Audit Trail) and the file system on which the audit trail is located. You can configure audomon to automatically switch to a Secondary Audit Trail when certain capacity limits are met. You can also configure the daemon to run a specified script after each successful switch to perform various operations on the last audit trail, such as running a script to copy the last audit trail to a remote system. For an example, see audomon(1M).

Audit daemon — A kernel daemon that collects audit records and periodically writes the records to the disk. On HP-UX 11i v2, the audit daemon is single threaded. On 11i v3, the audit daemon is multi-threaded to improve performance by writing audit data into multiple audit trail files simultaneously.

Files

audit.conf(4), audit_site.conf(4) — Files containing event mapping information and site-specific event mapping information, respectively. The audevent(1M) and audisp(1M) commands use these files.

Audit trail — Audit records are collected in audit files as audit trails in binary format and are compressed to save disk space. On HP-UX 11i v2, the audit trail is a single file. On HP-UX 11i v3, HP-UX Auditing System is capable of using more than one writer thread to log data to minimize the impact of audit on system performance. Each writer thread writes to one file, allowing an audit trail to be written in parallel by multiple kernel threads and potentially increasing the throughput of the system. As a result, an audit trail is present on the file system as a directory with multiple audit files in it.

userdb(4) — The user database that contains the per-user AUDIT_FLAG attribute for controlling whether a particular user is audited.

security(4) — The security defaults configuration file that contains the per-system AUDIT_FLAG attribute. This is the default AUDIT_FLAG attribute for those users that do not have a AUDIT_FLAG attribute set in userdb(4).

4