HP-UX Reference (11i v3 07/02) - 1M System Administration Commands A-M (vol 3)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

audevent(1M) audevent(1M)

NAME

audevent - change or display proﬁle, event, or system call audit status

SYNOPSIS

audevent [-P  -p][-F

 -f][-r proﬁle][-E][-e event]... [

-S][-s syscall]...

audevent [-l]

DESCRIPTION

audevent changes or displays the auditing status of the given proﬁle, event categories, or system calls. A

list of pre-deﬁned proﬁles, event categories, and system call names is given in

/etc/audit/audit.conf

. Any site-speciﬁc customizations must be added to

/etc/audit/audit_site.conf

. See audit.conf(4) for more details. A proﬁle consists of a set of

operations (event categories, self-auditing events, and system calls) that affect a particular type of system.

An event category consists of a set of operations (self-auditing events and system calls) that affect a particu-

lar aspect of the system.

If neither

-P, -p, -F

, nor -f is speciﬁed, the current status of the selected proﬁles, event categories, or

system calls is displayed.

If the

-E option is supplied, it is redundant to use -e to specify particular events. This also applies in the

same way to the -S and -s options. If no event category is speciﬁed, all event categories associated with

the selected proﬁle are selected. If no system call is speciﬁed, all system calls associated with the selected

proﬁle and event categories are selected. At most one proﬁle may be selected.

audevent takes effect immediately. However, the events and system calls speciﬁed are audited only

when called by a user currently being audited (see audit(5)).

If -l is speciﬁed, a list of valid proﬁles, event categories and system calls are displayed. This option may

be helpful when deciding which proﬁle, event, or syscall to use with the -r

, -e,or-s options respectively.

The same information can also be found in

/etc/audit/audit.conf

(see audit.conf(4)).

Note: The set of audited system calls and corresponding audit events will change as HP-UX continues

to evolve.

Only a privileged user can change or display audit status.

Options

audevent recognizes the following options and command-line arguments:

-P Audit successful events or system calls.

-p Do not audit successful events or system calls.

-F Audit failed events or system calls.

-f Do not audit failed events or system calls.

-r profile Select proﬁle to change or display.

-E Select all events to change or display.

-e event Select event to change or display. The event must be a valid event category (base

event or event alias) that is deﬁned in /etc/audit/audit.conf or

/etc/audit/audit_site.conf.

-S Select all system calls to change or display.

-s syscall Select syscall to change or display. The syscall must be a valid system call name or

system call alias name that is deﬁned in /etc/audit/audit.conf or

/etc/audit/audit_site.conf.

-l Display a list of valid proﬁles, event categories, and system calls. This option must

not be used with any other options.

The following is a list of the pre-deﬁned event types or categories:

create Object creation. For example: ﬁle creation, directory creation, and other object crea-

tion.

delete Object deletion. For example: ﬁle deletion, directory deletion, and other object dele-

tion.

46 Hewlett-Packard Company − 1 − HP-UX 11i Version 3: February 2007