Managing Systems and Workgroups: A Guide for HP-UX System Administrators
Administering a System: Managing System Security
Auditing a Trusted System
Chapter 8 797
audevent Select events to be audited; see audevent (1M)
audisp Display the audit data; see audisp (1M)
audsys Start or halt the auditing system; see audsys (1M)
audusr Select users to be audited; see audusr (1M)
init Change run levels, users logging off; see init (1M)
lpsched Schedule line printer requests; see lpsched (1M)
fbackup Flexible file backup; see fbackup (1M)
ftpd File transfer protocol daemon; see ftpd (1M)
remshd Remote shell server daemon; see remshd (1M)
rlogind Remote login server daemon; see rlogind (1M)
telnetd Telnet server daemon; see telnetd (1M)
Self-Auditing Programs
Self-auditing programs are useful for streamlining the audit data
collected. Therefore, the event types UEVENT1, UEVENT2, and UEVENT3 are
reserved for self-auditing programs you may want to write.
You can write your own setuid-to-root programs to streamline auditing
data with the audswitch() and audwrite() system calls. You can
suspend auditing (audswitch(AUD_SUSPEND)), choose key points in the
program to generate an auditing record (audwrite()), and then resume
regular auditing (audswitch(AUD_RESUME)).
If the auditing system is turned off at the time your program is run,
audwrite() returns successfully, but no auditing record is written.
See audswitch (2) and audwrite (2) for more information.
Audit Log Files
All auditing data is written to an audit log file. With the audsys
command, you can specify a primary log file and an (optional)
auxiliary log file to collect auditing data (see audsys (1M)). The growth
of these files is closely monitored by the audit overflow monitor daemon,
audomon, to insure that no audit data is lost.