White Paper

AudFilter Product pre-filtering — Fine-grained filtering in the kernel to selectively record the audit

records that were generated and stored in the audit trail. This reduces the size of the audit trail

and enhances system call pre- and post-filtering by supporting rules-based filtering as a function of

other attributes, such as system call parameters (for example, the open(2) oflag parameter), file

owner, file system on which a file resides, and system call errno.

AudReport Product post-filtering — Fine-grained filtering in user space to selectively extract audit

records that were generated and stored in the audit trail, and to produce useful reports.

Primary Audit Trail

The current audit trail in which audit records are being written.

Profile

A set of base events defined for a particular type of system (for example, web server and file

server).

Secondary Audit Trail

The audit trail in which audit records will be written when certain capacity limits are reached for

the Primary Audit Trail.

Self-Auditing Events

An auditable event that describes a series of actions performed by a program in order to provide

a more high-level and meaningful description of an event (for example, user login event), instead

of a low system call level description provided by a series of System Call Events.

Self-Auditing Program

A privileged program that produces self-auditing events. These are not necessarily Audit Aware

Programs.

System Call Events

An auditable event that describes the invocation of a security relevant system call.