audit.conf.4 (2010 09)

audit.conf(4) audit.conf(4)

.set_sys_info()

by the auditing system. The interface of .set_sys_info()

is not publicly

exported, but the security relevant information of this system call is described in

/etc/audit/audit.info

; this ﬁle documents the security relevant information for all system calls

that have names beginning with a period (

.).

Proﬁles are deﬁned using the

PROFILE directive. Proﬁles can be combinations of any events.

/etc/audit/audit_site.conf

only EVENT_ALIAS and PROFILE directives are allowed;

names picked for

event_alias_name

or profile_name must begin with a uppercase character and

must have at least one lowercase character. Adding

+ or - at the end of an event name indicates only

include successful (

+) or failed (

-)operations.

EXAMPLES

Here are some example entries that could be in

/etc/audit/audit_site.conf

EVENT_ALIAS MyAdmin = settune, modload+, moduload-

PROFILE MyProfile1 = EVENT login, EVENT moddac

PROFILE MyProfile2 = EVENT login, EVENT_ALIAS MyAdmin-

Selecting MyAdmin for auditing enables audit for the system calls settune() (for both pass and fail),

modload() (for pass only), and moduload() (for fail only). Note that MyProfile2 contains login

and the fail events covered under MyAdmin. Selecting this proﬁle causes login to be audited for both

pass and fail, setune() and moduload() to be audited for fail, and modload() to not be audited at

all.

AUTHOR

audit.conf was developed by HP.

FILES

/etc/audit/audit.conf

File containing event mapping information

/etc/audit/audit.info

File containing audit information description for HP-UX internal

system calls which are not publicly supported

/etc/audit/audit_site.conf

File containing site-speciﬁc event mapping information