IBM 10 SP1 EAL4 manual Event Description LAF audit events

Event Description

LAF audit events

Startup and shutdown of audit functions

DAEMON_START, DAEMON_END are generated by

auditd

Modification of audit configuration files

DAEMON_CONFIG, DAEMON_RECONFIG are

generated by auditd. Syscalls open, link,

unlink, rename, truncate, write on

configuration files

Successful and unsuccessful file read/write

Syscall open

Audit storage space exceeds a threshold

space_left_action,

admin_space_left_action configuration

parameters for auditd.

Audit storage space failure

disk_full_action, disk_error_action

configuration parameters for auditd.

Operation on file system objects

Syscalls chmod, chown, setxattr,

removexattr, link, symlink, mknod, open,

rename, truncate, unlink, rmdir, mount,

umount, semtimedop

Operations on message queue

Syscalls msgctl, msgget

Operations on semaphores

Syscalls semget, semctl, semop,

semtimedop.

Operations on shared memory segments

Syscalls shmget, shmctl

Rejection or acceptance by the TSF of any testedAudit record type: USER_AUTH from PAM

secret.

framework and audit record type:

USER_CHAUTHTOK from shadow utilities.

Use of identification and authentication

Audit record type: USER_AUTH,

mechanism

USER_CHAUTHTOK from PAM framework.

Success and failure of binding user security

Audit record type: LOGIN from pam_login.so

attributes to a subject (e.g. success and failure to module. Syscalls: fork and clone.

create a subject)

All modification of subject security values

Syscalls chmod, chown, setxattr, msgctl,

semctl, shmctl, removexattr, truncate

Modifications of the default setting of

Syscalls umask, open

permissive of restrictive rules

Modification of TSF data

Syscalls open, rename, link, unlink,

truncate, chmod, chown, setxattr,

removexattr (of audit log files and audit