HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2
processes are programmed to suspend auditing of the actions they invoke and produce one audit
log entry describing the process that occurred. Processes programmed in this way are called
self-auditing programs; using self-auditing programs streamlines audit log data.
You can turn off self-auditing programs by turning off auditing on the system.
NOTE: The list of self-auditing processes varies from system to system.
Self-auditing processes
The following processes have self-auditing capabilities:
chfn Change finger entry
chsh
Change login shell
login
The login utility
newgrp
Change effective group
passwd
Change password
audevent
Select events to be audited
audisp
Display the audit data
audsys
Start or halt the auditing system
audusr
Select users to be audited
init
Change run levels, users logging off
lpsched
Schedule line printer requests
fbackup
Flexible file backup
ftpd
File transfer protocol daemon
remshd
Remote shell server daemon
rlogind
Remote login server daemon
telnetd
Telnet server daemon
Most self-auditing programs generate audit data under a single event category. For example,
the audsys command generate the audit data under the admin event. Some commands generate
audit data under multiple event categories. For example, the init command generates data
under the login and admin events.
Audit Log Files
All auditing data is written to an audit log file. The primary log file is where audit records are
collected. When this file approaches a predefined capacity (its Audit File Switch (AFS) size), or
when the file system on which it resides approaches a predefined capacity (its File Space Switch
(FSS) size), the auditing subsystem issues a warning. When either the AFS or the FSS of the
primary log file is reached, the auditing subsystem attempts to switch to the auxiliary log file
for recording audit data. If no auxiliary log file is specified, the primary log file continues to
grow.
Auditing 79