audevent.1m (2010 09)

audevent(1M) audevent(1M)

readdac Discretionary access control (DAC) information reading events.

moddac DAC modiﬁcation events.

modaccess Non-DAC modiﬁcation events.

open Object opening. For example: ﬁle open and other object open.

close Object closing. For example: ﬁle close and other object close.

process Process operations.

removable Removable media events. For example: mounting and unmounting events.

admin All administrative and privileged events.

ipccreat Interprocess Communication (IPC) object creation.

ipcopen IPC object opening.

ipcclose IPC object deletion.

ipcdgram IPC Datagram transactions.

uevent1 User-deﬁned event 1 (for self-auditing records).

uevent2 User-deﬁned event 2 (for self-auditing records).

uevent3 User-deﬁned event 3 (for self-auditing records).

EXAMPLES

Example 1: To display the list of valid proﬁles, event categories, and system calls as deﬁned in ﬁle

/etc/audit/audit.conf

and /etc/audit/audit_site.conf, use:

# audevent -l

Example 2: To display the current audit event selection status, use:

# audevent

The selection status for self-auditing events will be listed ﬁrst, followed by the selection status for system

calls.

Example 3: To audit all and only the events that are associated with proﬁle basic for auditing, use:

# audevent -pfE; audevent -P -F -r basic

Example 4: To audit all bad login attempts, use:

# audevent -F -e login

Without doing a audevent -pfE ﬁrst, this conﬁguration will be made incremental to what has already

been conﬁgured before.

WARNINGS

All modiﬁcations made to the auditing system are lost upon reboot.

To make the changes permanent, set

AUDEVENT_ARGS1, AUDEVENT_ARGS2

,orAUDEVENT_ARGS3 in

/etc/rc.config.d/auditing.

AUTHOR

audevent was developed by HP.

FILES

/etc/audit/audit.conf File containing event mapping information

/etc/audit/audit_site.conf File containing site-speciﬁc event mapping information.