White Paper
5
Audit tags
When a user logs in, a unique audit session ID called an audit tag is generated and associated with
all audit records for the user's processes associated with that login. The audit tag is a string that
includes the login name and the login time, and remains the same during the login session. Even if a
user changes identity within a single session, all events are still recorded with the same audit tag and
accountable under the original login user's name.
Audit trail
An audit trail contains all audit records in chronological order and provides a complete information
trail for display and analysis. An active audit trail must be in use whenever the auditing system is
enabled. Access to the auditing system, including the audit trails, is restricted to privileged users.
The Primary Audit Trail is the current audit trail in which audit records are currently being written,
while the Secondary Audit Trail is the next audit trail that will store new audit records when certain
capacity limits are reached for the Primary Audit Trail. The trail names and various attributes for the
trails, such as the capacity limits, are set using the audsys(1M) command.
The audomon(1M) daemon determines when the current trail exceeds a specified size or when the
auditing file system is dangerously full. When that occurs, the daemon automatically switches the
Primary Audit Trail to the Secondary Audit Trail with the same base name but with a different
timestamp extension. You can specify a script when starting audomon(1M) to perform various
operations on the Primary Audit Trail that was just successfully switched, such as remotely copying the
audit trail to a remote, centralized server for archiving purposes.
For performance reasons, the HP-UX Auditing System on 11i v3 is by default in normal mode in which
the audit trail consists of multiple files under a single directory to allow concurrent writing of audit
records by the kernel Audit Daemon. You can also configure the HP-UX Auditing System in
compatibility mode in which the audit trail is a single file. For information on how to modify the audit
trail mode on HP-UX 11i v3, see audsys(1M). For HP-UX Auditing System on 11i v2, an audit trail
can only consist of a single file.
Audit events
The auditing system records instances of access by subjects to objects on the system in log files for
selective security related system events. Audit events, also known as audit records, are generated
when users make security-relevant system calls and when self-auditing programs invoke
audwrite(2) to generate self-audit records. Each system call audit record and self-audit record
contains the following information about the event:
• Who caused the event (the subject)
– Real and effective user name and process id
– Audit session id and audit tag
– Name of command executed to trigger the event
– Hostname and IP address of source host from where the user logged in
• What is the event
– The event type: a system call event or a self-audit event
– The object (for example, file being modified and the user login account)
– Action performed on the object (for example, modification of a file’s permissions)
– Whether the event succeeded or failed. If it failed, the reason for the failure.