Some processes invoke a series of actions that
can be audited. To reduce the amount of audit log data collected and
to provide for more meaningful notations in the audit log files, some
of these processes are programmed to suspend auditing of the actions
they invoke and produce one audit log entry describing the process
that occurred. Processes programmed in this way are called self-auditing
programs; using self-auditing programs streamlines audit log data.
 |
| |
|
 | NOTE: The list of self-auditing processes varies from
system to system. |
|
| |
|
Self-auditing processes
The following processes have self-auditing capabilities:
- chfn
Change finger entry
- chsh
Change login shell
- login
The login utility
- newgrp
Change effective group
- passwd
Change password
- audevent
Select events to be audited
- audisp
Display the audit data
- audsys
Start or halt the auditing
system
- audusr
Select users to be audited
- init
Change run levels, users
logging off
- lpsched
Schedule line printer requests
- fbackup
Flexible file backup
- ftpd
File transfer protocol daemon
- remshd
Remote shell server daemon
- rlogind
Remote login server daemon
- telnetd
Telnet server daemon
- privrun
Invokes legacy application.[1]
- privedit
Allows authorized users to edit files.[1]
- roleadm
Edits role information.[1]
- authadm
Edits authorization information.[1]
- cmdprivadm
Edits command authorizations and privileges.[1]
Most self-auditing programs generate audit data
under a single event category. For example, the audsys command generate the audit data under the admin event. Some commands generate audit data under multiple event categories.
For example, the init command generates data under
the login and admin events.
Printable version
