White Paper
4
• userdbset(1M) — Modifies the per-user AUDIT_FLAG attribute stored in the userdb(4)
database.
• audisp(1M) — Analyzes and displays the audit information contained in the specified audit trails.
For more information, see the corresponding manpages.
System calls
• audswitch(2) — Invoked by privileged programs to temporarily suspend or resume auditing on
the current process; it affects only the current process. This call cannot suspend auditing for
processes created by the current process with the exec system call.
• audwrite(2) — Invoked by privileged self-auditing processes to generate higher-level audit
records of their own. These self-auditing processes are capable of turning off the generation of low-
level (system call level) audit records using the audswitch(2) system call and turning it back on
after invoking audwrite(2) to generate a higher-level audit record.
• getaudproc(2) — Invoked by privileged programs to determine whether the calling process is
audited or not.
• setaudproc(2) — Invoked by privileged programs to audit a process or not. For example,
login(1) invokes setaudproc(2) to audit or not audit a login process and all its descendents
for a new login session, depending on the value of the per-user or per-system AUDIT_FLAG
attribute in userdb(4) or security(4) configuration files, respectively.
Daemons
• audomon(1M) — User space daemon that monitors the capacity of the current audit trail (Primary
Audit Trail) and the file system on which the audit trail is located. You can configure audomon to
automatically switch to a Secondary Audit Trail when certain capacity limits are met. You can also
configure the daemon to run a specified script after each successful switch to perform various
operations on the last audit trail, such as running a script to copy the last audit trail to a remote
system. For an example, see audomon(1M).
• Audit daemon — A kernel daemon that collects audit records and periodically writes the records to
the disk. On HP-UX 11i v2, the audit daemon is single threaded. On 11i v3, the audit daemon is
multi-threaded to improve performance by writing audit data into multiple audit trail files
simultaneously.
Files
• audit.conf(4), audit_site.conf(4) — Files containing event mapping information and
site-specific event mapping information, respectively. The audevent(1M) and audisp(1M)
commands use these files.
• Audit trail — Audit records are collected in audit files as audit trails in binary format and are
compressed to save disk space. On HP-UX 11i v2, the audit trail is a single file. On HP-UX 11i v3,
HP-UX Auditing System is capable of using more than one writer thread to log data to minimize the
impact of audit on system performance. Each writer thread writes to one file, allowing an audit trail
to be written in parallel by multiple kernel threads and potentially increasing the throughput of the
system. As a result, an audit trail is present on the file system as a directory with multiple audit files
in it.
• userdb(4) — The user database that contains the per-user AUDIT_FLAG attribute for controlling
whether a particular user is audited.
• security(4) — The security defaults configuration file that contains the per-system AUDIT_FLAG
attribute. This is the default AUDIT_FLAG attribute for those users that do not have a AUDIT_FLAG
attribute set in userdb(4).