Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX Reference > A

audit.conf(4)

HP-UX 11i Version 3: February 2007
» 

Technical documentation

» Feedback
Content starts here

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

NAME

audit.conf, audit_site.conf — files containing event mapping information and site-specific event mapping information

DESCRIPTION

Files /etc/audit/audit.conf and /etc/audit/audit_site.conf store the event mapping information that can be used by audevent and audisp.

An event is a particular system operation. It may be either a self-auditing event or a system call. Auditable events are classified into several event categories and/or profiles. Events and system calls may have aliases.

When the auditing system is installed, a default set of event mapping information is provided in /etc/audit/audit.conf. In order to meet site-specific requirements, users may also define event categories and profiles in /etc/audit/audit_site.conf.

In general, an event category is defined as a set of operations that affect a particular aspect of the system. A profile is defined as a set of operations that affect a particular type of system. With these classifications, a set of events can be selected when using audevent or audisp by specifying the event category or the profile that the events are associated with.

Here is the syntax of the directives in /etc/audit/audit.conf and /etc/audit/audit_site.conf:

EVENT event_name = {system_call_name}... SELFAUD_EVENT self_auditing_event_name SYSCALL_ALIAS system_call_alias_name = system_call_name EVENT_ALIAS event_alias_name = { system_call_name [+|-] | SYSCALL_ALIAS system_call_alias_name [+|-] | SELFAUD_EVENT self-auditing_event_name [+|-] | EVENT event_name [+|-] } [, { system_call_name [+|-] | SYSCALL_ALIAS system_call_alias_name [+|-] | SELFAUD_EVENT self-auditing_event_name [+|-] | EVENT event_name [+|-] } ]... PROFILE profile_name = { system_call_name [+|-] | SYSCALL_ALIAS system_call_alias_name [+|-] | SELFAUD_EVENT self-auditing_event_name [+|-] | EVENT event_name [+|-] | EVENT_ALIAS event_alias_name [+|-] } [, { system_call_name [+|-] | SYSCALL_ALIAS system_call_alias_name [+|-] | SELFAUD_EVENT self-auditing_event_name [+|-] | EVENT event_name [+|-] | EVENT_ALIAS event_alias_name [+|-] } ]...

Event categories are defined using the EVENT directive for base events and the EVENT_ALIAS directive for event aliases.

Base events are events that are pre-defined by the HP-UX operating system. They are always associated with self-auditing events that have the same name and/or with a list of system calls with the names that are referred to by the HP-UX auditing system.

Event aliases, distinct from base events, are combinations of base events, self-auditing events, system calls, and system call aliases.

The system call name referred to by the auditing system usually matches the real system call name with a few exceptions. If the system call is one of these exceptions, an alias name may be defined using the SYSCALL_ALIAS directive, and the alias name can be used by audevent and audisp for system call level selection. For example, the system call sethostname() is referred to as the system call .set_sys_info() by the auditing system. The interface of .set_sys_info() is not publicly exported, but the security relevant information of this system call is described in /etc/audit/audit.info; this file documents the security relevant information for all system calls that have names beginning with a period (.).

Profiles are defined using the PROFILE directive. Profiles can be combinations of any events.

In /etc/audit/audit_site.conf only EVENT_ALIAS and PROFILE directives are allowed; names picked for event_alias_name or profile_name must begin with a uppercase character and must have at least one lowercase character. Adding + or - at the end of an event name indicates only include successful (+) or failed (-) operations.

EXAMPLES

Here are some example entries that could be in /etc/audit/audit_site.conf:

EVENT_ALIAS MyAdmin = settune, modload+, moduload- PROFILE MyProfile1 = EVENT login, EVENT moddac PROFILE MyProfile2 = EVENT login, EVENT_ALIAS MyAdmin-

Selecting MyAdmin for auditing enables audit for the system calls settune() (for both pass and fail), modload() (for pass only), and moduload() (for fail only). Note that MyProfile2 contains login and the fail events covered under MyAdmin. Selecting this profile causes login to be audited for both pass and fail, setune() and moduload() to be audited for fail, and modload() to not be audited at all.

AUTHOR

audit.conf was developed by HP.

FILES

/etc/audit/audit.conf

File containing event mapping information

/etc/audit/audit.info

File containing audit information description for HP-UX internal system calls which are not publicly supported

/etc/audit/audit_site.conf

File containing site-specific event mapping information

SEE ALSO

audevent(1M), audisp(1M).



audit
  		 


authcap  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1983-2007 Hewlett-Packard Development Company, L.P.