audevent(1M) audevent(1M)
NAME [Toc] [Back]
audevent - change or display event or system call audit status
SYNOPSIS [Toc] [Back]
audevent [-P|-p] [-F|-f] [-E] [[-e event] ...] [-S] [[-s syscall] ...]
audevent [-l]
DESCRIPTION [Toc] [Back]
audevent changes or displays the auditing status of the given events
or system calls. The event is used to specify names associated with
certain self-auditing commands; syscall is used to select related
system calls.
If neither -P, -p, -F, nor -f is specified, the current status of the
selected events or system calls is displayed.
If the -E option is supplied, it is redundant to specify events with
the -e option. This also applies to the -S and -s options. If no
event is specified, all events are selected. If no system call is
specified, all system calls associated with the selected events are
selected.
audevent takes effect immediately. However, the events and system
calls specified are audited only when called by a user currently being
audited (see audusr(1M)).
If -l is specified, a list of valid events and their associated system
calls (if any) are displayed. This option may be helpful when
deciding which -e or -s options to use.
Note: The set of audited system calls and corresponding audit
events varies frequently as HP-UX evolves. The system call name
referred to by the auditing system usually matches the real
system call name, but with a few exceptions. Some important
known exceptions are provided in System Call Name Mapping
Execptions.
Only the super-user can change or display audit status.
Options [Toc] [Back]
audevent recognizes the following options and command-line arguments:
-P Audit successful events or system calls.
-p Do not audit successful events or system calls.
-F Audit failed events or system calls.
-f Do not audit failed events or system calls.
Hewlett-Packard Company - 1 - HP-UX 11i Version 2: August 2003
audevent(1M) audevent(1M)
-E Select all events for change or display.
-e event Select event for change or display.
-S Select all system calls for change or display.
-s syscall Select syscall for change or display.
-l Display a list of valid events and their
associated system calls. This option should not
be used with any other options.
The following is a list of the valid event types or categories:
create Object creation. For example, file creation,
directory creation, and other object creation.
delete Object deletion. For example, file deletion,
directory deletion, and other object deletion.
readdac Discretionary access control (DAC) information
reading events.
moddac DAC modification events.
modaccess Non-DAC modification events.
open Object opening. For example, file open and other
object open.
close Object closing. For example, file close and other
object close.
process Process operations.
removable Removable media events. For example, mounting
and unmounting events.
login Login and logout events not related to any
particular system call.
admin All administrative and privileged events.
ipccreat Interprocess Communication (IPC) object creation.
ipcopen IPC object opening.
ipcclose IPC object deletion.
ipcdgram IPC Datagram transactions.
Hewlett-Packard Company - 2 - HP-UX 11i Version 2: August 2003
audevent(1M) audevent(1M)
uevent1 User-defined event 1 (for self-auditing records).
uevent2 User-defined event 2 (for self-auditing records).
uevent3 User-defined event 3 (for self-auditing records).
System Call Name Mapping Exceptions [Toc] [Back]
The following are some important known system call name mapping
exceptions:
sem_open() is referred to as ksem_open().
sem_unlink() is referred to as ksem_unlink().
sem_close() is referred to as ksem_close().
gethostname(), sethostname(), uname(), ustat(), setuname() are
all referred to as utssys() by the auditing
system.
WARNINGS [Toc] [Back]
All modifications made to the auditing system are lost upon reboot.
To make the changes permanent, set AUDEVENT_ARGS1, AUDEVENT_ARGS2, or
AUDEVENT_ARGS3 in /etc/rc.config.d/auditing.
AUTHOR [Toc] [Back]
audevent was developed by HP.
SEE ALSO [Toc] [Back]
audisp(1M), audomon(1M), audsys(1M), audusr(1M), getevent(2),
setevent(2), audit(4), audit(5).
Hewlett-Packard Company - 3 - HP-UX 11i Version 2: August 2003 [ Back ] |