audit.conf.4 (2010 09)
a
audit.conf(4) audit.conf(4)
NAME
audit.conf, audit_site.conf - files containing event mapping information and site-specific event mapping
information
DESCRIPTION
Files
/etc/audit/audit.conf
and /etc/audit/audit_site.conf
store the event mapping
information that can be used by
audevent
and audisp.
An event is a particular system operation. It may be either a self-auditing event or a system call. Audit-
able events are classified into several event categories and/or profiles. Events and system calls may have
aliases.
When the auditing system is installed, a default set of event mapping information is provided in
/etc/audit/audit.conf
. In order to meet site-specific requirements, users may also define event
categories and profiles in
/etc/audit/audit_site.conf
.
In general, an event category is defined as a set of operations that affect a particular aspect of the system.
A profile is defined as a set of operations that affect a particular type of system. With these
classifications, a set of events can be selected when using
audevent or audisp by specifying the event
category or the profile that the events are associated with.
Here is the syntax of the directives in
/etc/audit/audit.conf
and
/etc/audit/audit_site.conf
:
EVENT event_name = {system_call_name}...
SELFAUD_EVENT self_auditing_event_name
SYSCALL_ALIAS system_call_alias_name =
system_call_name
EVENT_ALIAS event_alias_name =
{ system_call_name [+|-] |
SYSCALL_ALIAS system_call_alias_name [+|-] |
SELFAUD_EVENT self-auditing_event_name [+|-] |
EVENT event_name [+|-] }
[, { system_call_name [+|-] |
SYSCALL_ALIAS system_call_alias_name [+|-] |
SELFAUD_EVENT self-auditing_event_name [+|-] |
EVENT event_name [+|-] } ]...
PROFILE profile_name =
{ system_call_name [+|-] |
SYSCALL_ALIAS system_call_alias_name [+|-] |
SELFAUD_EVENT self-auditing_event_name [+|-] |
EVENT event_name [+|-] |
EVENT_ALIAS event_alias_name [+|-] }
[, { system_call_name [+|-] |
SYSCALL_ALIAS system_call_alias_name [+|-] |
SELFAUD_EVENT self-auditing_event_name [+|-] |
EVENT event_name [+|-] |
EVENT_ALIAS event_alias_name [+|-] } ]...
Event categories are defined using the EVENT directive for base events and the EVENT_ALIAS directive
for event aliases.
Base events are events that are pre-defined by the HP-UX operating system. They are always associated
with self-auditing events that have the same name and/or with a list of system calls with the names that
are referred to by the HP-UX auditing system.
Event aliases, distinct from base events, are combinations of base events, self-auditing events, system
calls, and system call aliases.
The system call name referred to by the auditing system usually matches the real system call name with
a few exceptions. If the system call is one of these exceptions, an alias name may be defined using the
SYSCALL_ALIAS directive, and the alias name can be used by audevent and audisp for system call
level selection. For example, the system call sethostname() is referred to as the system call
HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1