Manualshelf

White Paper

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
17181920212223242526
24
Glossary
Audit Aware Programs
Privileged programs that invoke either the audswitch system call to suspend system call auditing
or the audwrite system call to generate self-auditing events. Audit aware programs are also
called self-auditing programs.
Audit Event
Also called an Audit Record. An event is an instance of a subject accessing an object. For
example, a process opening a file or a user logging into a system. Audit records are generated
when users make security-relevant system calls and when self-auditing processes call
audwrite(2).
Audit File
A file that stores audit records in binary format.
Audit Process Identifier (PID) Information Record (PIR)
An audit record written into the audit trail once for each process, containing information that
remains constant throughout the lifetime of the process.
Audit Tag
A unique audit session ID that uniquely identifies (or tags) all audit records generated for a
particular login session.
Audit Trail
All pieces of audit files that together store audit records in chronological order and provide a
complete information trail for displaying or analysis.
On HP-UX 11i v2, an audit trail is a single audit file. On HP-UX 11i v3, an audit trail is composed
of one or more audit files.
Base Event
A particular system operation that is audited and pre-defined by the HP-UX operating system. This
is either a self-auditing event (for example, login) or a system call (for example, open).
Event Category
A set of base events that affect a particular aspect of the system (for example, the creation of an
object, such as a file, directory, special device file, and IPC object.)
Filtering
Any one of the following types of audit filtering:
System call pre-filtering — Filtering of system call and self-audit events in the kernel based on
process (user) and event selection flags, and performed before the system call specific code
executes.
System call post-filtering — Filtering of system call events in the kernel based on the success or
failure of system call, and performed after the system call specific code executes.