HP-UX Reference (11i v2 07/12) - 1M System Administration Commands A-M (vol 3)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

audevent(1M) audevent(1M)

NAME

audevent - change or display event or system call audit status

SYNOPSIS

audevent [-P-p][-F

-f][-E][[-e event ] ...] [-S

][[-s syscall ] ... ]

audevent [-l]

DESCRIPTION

audevent changes or displays the auditing status of the given events or system calls. The event is used

to specify names associated with certain self-auditing commands; syscall is used to select related system

calls.

If neither

-P, -p, -F, nor

-f is speciﬁed, the current status of the selected events or system calls is

displayed.

If the

-E option is supplied, it is redundant to specify events with the

-e option. This also applies to the

-S and -s options. If no event is speciﬁed, all events are selected. If no system call is speciﬁed, all sys-

tem calls associated with the selected events are selected.

audevent takes effect immediately. However, the events and system calls speciﬁed are audited only

when called by a user currently being audited (see audusr(1M)).

If -l is speciﬁed, a list of valid events and their associated system calls (if any) are displayed. This option

may be helpful when deciding which -e or -s options to use.

Note: The set of audited system calls and corresponding audit events varies frequently as HP-UX

evolves. The system call name referred to by the auditing system usually matches the real system call

name, but with a few exceptions. Some important known exceptions are provided in System Call

Name Mapping Execptions.

Only the super-user can change or display audit status.

Options

audevent recognizes the following options and command-line arguments:

-P Audit successful events or system calls.

-p Do not audit successful events or system calls.

-F Audit failed events or system calls.

-f Do not audit failed events or system calls.

-E Select all events for change or display.

-e event Select event for change or display.

-S Select all system calls for change or display.

-s syscall Select syscall for change or display.

-l Display a list of valid events and their associated system calls. This option should not

be used with any other options.

The following is a list of the valid event types or categories:

create Object creation. For example, ﬁle creation, directory creation, and other object crea-

tion.

delete Object deletion. For example, ﬁle deletion, directory deletion, and other object dele-

tion.

readdac Discretionary access control (DAC) information reading events.

moddac DAC modiﬁcation events.

modaccess Non-DAC modiﬁcation events.

open Object opening. For example, ﬁle open and other object open.

close Object closing. For example, ﬁle close and other object close.

process Process operations.

72 Hewlett-Packard Company − 1 − HP-UX 11i Version 2: December 2007 Update