Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX Reference > A

audevent(1M)

HP-UX 11i Version 3: February 2007
» 

Technical documentation

» Feedback
Content starts here

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

NAME

audevent — change or display profile, event, or system call audit status

SYNOPSIS

audevent [-P | -p] [-F | -f] [-r profile] [-E] [-e event]... [-S] [-s syscall]...

audevent [-l]

DESCRIPTION

audevent changes or displays the auditing status of the given profile, event categories, or system calls. A list of pre-defined profiles, event categories, and system call names is given in /etc/audit/audit.conf. Any site-specific customizations must be added to /etc/audit/audit_site.conf. See audit.conf(4) for more details. A profile consists of a set of operations (event categories, self-auditing events, and system calls) that affect a particular type of system. An event category consists of a set of operations (self-auditing events and system calls) that affect a particular aspect of the system.

If neither -P, -p, -F, nor -f is specified, the current status of the selected profiles, event categories, or system calls is displayed.

If the -E option is supplied, it is redundant to use -e to specify particular events. This also applies in the same way to the -S and -s options. If no event category is specified, all event categories associated with the selected profile are selected. If no system call is specified, all system calls associated with the selected profile and event categories are selected. At most one profile may be selected.

audevent takes effect immediately. However, the events and system calls specified are audited only when called by a user currently being audited (see audit(5)).

If -l is specified, a list of valid profiles, event categories and system calls are displayed. This option may be helpful when deciding which profile, event, or syscall to use with the -r, -e, or -s options respectively. The same information can also be found in /etc/audit/audit.conf (see audit.conf(4)).

  • Note: The set of audited system calls and corresponding audit events will change as HP-UX continues to evolve.

Only a privileged user can change or display audit status.

Options

audevent recognizes the following options and command-line arguments:

-P

Audit successful events or system calls.

-p

Do not audit successful events or system calls.

-F

Audit failed events or system calls.

-f

Do not audit failed events or system calls.

-r profile

Select profile to change or display.

-E

Select all events to change or display.

-e event

Select event to change or display. The event must be a valid event category (base event or event alias) that is defined in /etc/audit/audit.conf or /etc/audit/audit_site.conf.

-S

Select all system calls to change or display.

-s syscall

Select syscall to change or display. The syscall must be a valid system call name or system call alias name that is defined in /etc/audit/audit.conf or /etc/audit/audit_site.conf.

-l

Display a list of valid profiles, event categories, and system calls. This option must not be used with any other options.

The following is a list of the pre-defined event types or categories:

create

Object creation. For example: file creation, directory creation, and other object creation.

delete

Object deletion. For example: file deletion, directory deletion, and other object deletion.

readdac

Discretionary access control (DAC) information reading events.

moddac

DAC modification events.

modaccess

Non-DAC modification events.

open

Object opening. For example: file open and other object open.

close

Object closing. For example: file close and other object close.

process

Process operations.

removable

Removable media events. For example: mounting and unmounting events.

login

Login and logout events not related to any particular system call.

admin

All administrative and privileged events.

ipccreat

Interprocess Communication (IPC) object creation.

ipcopen

IPC object opening.

ipcclose

IPC object deletion.

ipcdgram

IPC Datagram transactions.

uevent1

User-defined event 1 (for self-auditing records).

uevent2

User-defined event 2 (for self-auditing records).

uevent3

User-defined event 3 (for self-auditing records).

EXAMPLES

Example 1: To display the list of valid profiles, event categories, and system calls as defined in file /etc/audit/audit.conf and /etc/audit/audit_site.conf, use:

# audevent -l

Example 2: To display the current audit event selection status, use:

# audevent

The selection status for self-auditing events will be listed first, followed by the selection status for system calls.

Example 3: To audit all and only the events that are associated with profile basic for auditing, use:

# audevent -pfE; audevent -P -F -r basic

Example 4: To audit all bad login attempts, use:

# audevent -F -e login

Without doing a audevent -pfE first, this configuration will be made incremental to what has already been configured before.

WARNINGS

All modifications made to the auditing system are lost upon reboot.

To make the changes permanent, set AUDEVENT_ARGS1, AUDEVENT_ARGS2, or AUDEVENT_ARGS3 in /etc/rc.config.d/auditing.

AUTHOR

audevent was developed by HP.

FILES

/etc/audit/audit.conf

File containing event mapping information

/etc/audit/audit_site.conf

File containing site-specific event mapping information.

SEE ALSO

audisp(1M), audomon(1M), audsys(1M), audusr(1M), audit.conf(4), audit(5).



aserver
  		 


audisp  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1983-2007 Hewlett-Packard Development Company, L.P.