HP-UX Reference (11i v2 03/08) - 5 Miscellaneous Topics, 7 Device (Special) Files, 9 General Information, Index (vol 9)
a
audit(5) audit(5)
NAME
audit - introduction to HP-UX Auditing System
SYNOPSIS
#include <sys/audit.h>
DESCRIPTION
The purpose of the auditing system is to record instances of access by subjects to objects and to allow
detection of any (repeated) attempts to bypass the protection mechanism and any misuses of privileges,
thus acting as a deterrent against system abuses and exposing potential security weaknesses in the sys-
tem.
User and Event Selection
The auditing system provides administrators with a mechanism to select users and activities to be
audited. Users are assigned unique identifiers called audit ids by the administrator which remain
unchanged throughout a user’s history. The audusr(1M) command is used to specify those users who are
to be audited. The audevent (1M) command is used to specify system activities (auditable events) that are
to be audited. Auditable events are classified into several categories. An event category consists of a set
of operations that affect a particular aspect of the system. For an event category list, see audevent (1M).
Self-auditing Programs
To reduce the amount of log data and to provide a higher-level recording of some typical system opera-
tions, a collection of privileged programs are given capabilities to perform self-auditing. This means that
the programs can suspend the currently specified auditing on themselves and produce a high-level
description of the operations they perform. These self-auditing programs include: at(1), chfn(1), chsh(1),
crontab(1), login(1), newgrp(1), passwd(1), audevent (1M), audisp(1M), audsys(1M), audusr(1M),
cron(1M), groupadd(1M), groupdel(1M), groupmod(1M), init(1M), lpsched (1M), sam(1M), useradd (1M),
userdel(1M), and usermod(1M).
Note: Only privileged programs are allowed to do self-auditing. The audit suspension they perform
only affects these programs and does not affect any other processes on the system.
Most of these commands generate audit data under a single event category. For example, sam(1M) gen-
erates the audit data under the event admin. Other commands may generate data under multiple event
categories. For example, init(1M) generates data under the events login and admin.
Viewing of Audited Data
The audisp (1M) command is used to view audited data recorded in log files. audisp (1M) merges the log
files into a single audit trail in chronological sequence. The administrator can select viewing criteria pro-
vided by audisp(1M) to limit the search to particular kinds of events which the administrator is
interested in investigating.
Monitoring the Auditing System
To ensure that the auditing system operates normally and that any abnormal behaviors are detected, a
privileged daemon program, audomon(1M), runs in the background to monitor various auditing system
parameters. When these parameters take on abnormal (dangerous) values, or when components of the
auditing system are accidentally removed, audomon(1M) prints warning messages and tries to resolve the
problem if possible.
Starting and Halting the Auditing System
The administrator can use the audsys(1M) command to start or halt the auditing system, or to get a brief
summary of the status of the audit system. Prior to starting the auditing system, audsys(1M) also vali-
dates the parameters specified, and ensures that the auditing system is in a safe and consistent state.
Audit Log Files
At any time when the auditing system is enabled, at least an audit log file must be present, and another
back-up log file is highly recommended. Both of these files (along with various attributes for these files)
can be specified using audsys(1M). When the current log file exceeds a pre-specified size, or when the
auditing file system is dangerously full, the system automatically switches to the back-up file if possible.
If a back-up log file is not available, warning messages are sent to request appropriate administrator
action.
Section 5−−48 Hewlett-Packard Company − 1 − HP-UX 11i Version 2: August 2003