Managing Systems and Workgroups: A Guide for HP-UX System Administrators
Administering a System: Managing System Security
Auditing a Trusted System
Chapter 8796
Streamlining Audit Log Data
Some processes invoke a series of auditable actions. To reduce the
amount of audit log data collected and to provide for more meaningful
notations in the audit log files, some of these processes are programmed
to suspend auditing of the actions they invoke and produce one audit log
entry describing the process that occurred. Processes programmed in
this way are called self-auditing programs; for example, the login
program. The following processes have self-auditing capabilities:
Self-auditing
processes
chfn Change finger entry; see chfn (1)
chsh Change login shell; see chsh (1)
login The login utility; see login (1)
newgrp Change effective group; see newgrp (1)
passwd Change password; see passwd (1)
Table 8-4 Audit Event Types and System Commands
Event Type Description of Action Associated System Commands
admin Log all administrative and
privileged events
sam (1M), audisp (1M), audevent
(1M), audsys (1M), audusr (1M),
chfn (1), chsh (1), passwd (1), pwck
(1M), init (1M)
ipcdgram Log ipc datagram transactions udp (7P)
login Log all logins and logouts login (1), init (1M)
modaccess Log all access modifications other
than Discretionary Access Controls
newgrp (1)
open Log all openings of objects (file
open, other objects open)
lpsched (1M)
removable Log all removable media events
(mounting and unmounting events)
exportfs (1M)
uevent1
uevent2
uevent3
Log user-defined events See “Streamlining Audit Log Data”
on page 796