Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3 > Chapter 10 Audit Administration

Auditing Events


Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

An event is an action with security implications, such as creating a file, opening a file, or logging in to the system. You can audit events on an HP-UX system to enhance security by detecting possible breaches. However, the more events you choose to audit, the more system resources are used and the greater the impact on system performance. The security architect must determine which events to audit based on business needs and any applicable government regulations.

The audevent command is used to specify system activities (auditable events) that are to be audited. Auditable events are classified into event categories and profiles for easier configuration. Once an event category or a profile is selected, all system calls and self-auditing events associated with the event category or profile are selected. When the auditing system is installed, a default set of event classification information is provided in the /etc/audit/audit.conf file. Additional, site-specific classifications and profiles may also be defined in the /etc/audit/audit_site.conf file.


HP recommends that you audit the following events at a minimum:

  • admin event

  • login event

  • moddac self-auditing event

  • execv, execve

  • pset event

These events are predefined as the basic profile in the /etc/audit/audit.conf file.

Configure the events you want to audit before you turn on the auditing system. The syntax for the audevent command is as follows:

# audevent [options]

The following options are commonly used with the audevent command:

Table 10-4 audevent Command Options

audevent options


-e eventSpecifies an event to log
-FLogs unsuccessful event operations


Displays a complete list of event types and associated system calls


Logs successful event operations

-r profile

Specifies the profile of events to log. Profiles are defined in the /etc/audit/audit.conf file.

-S or -s system_call

Change event or system call audit status

no option

display the current status of the selected events or system calls


To configure admin, login, and modaccess for auditing, enter the following command:

# audevent -P -F -e admin -e login -e moddac

To configure the events in the basic profile for auditing, use the following command:

# audevent -P -F -r basic

Both Audit Success and Audit Failure are set as event types for monitoring successful and failed events or system calls. This is the minimum event type selection recommended for running a system.

Generally, a record is written only if both the event is selected for auditing, and the user initiating the event has been selected for auditing. However, it is expected that some records may still be generated at the time user starts a session and ends a session, even if the user is not selected for auditing. Those records are considered system-wide information that are based on event selection instead of user selection. Programs that do self-auditing may make arbitrary decision to ignore the user selection, but this is not recommended for self-auditing.

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.