Open System Services Programmer's Guide

ManualsBrandsHP ManualsServerHP NonStop G-Series

251

252

253

254

255

256

257

258

259

260

Table 37 OSS Function Calls Audited When Used With Audited Filesets (continued)

Attributes or Actions AuditedOSS Function

The process name and the value of the OSS user ID and group ID.tdm_execve()

Use on files in the /G directory is also audited.

tdm_execvpe()

The process name and the value of the OSS user ID and group ID.tdm_fork()

The process name and the value of the OSS user ID and group ID.tdm_spawn()

Use on files in the /G directory is also audited.

tdm_spawnp()

For a link count of zero, the value of the file mode, the OSS user ID, the group ID, the

mtime, ctime, size, and rdev.

unlink()

For a link count that is not zero, the value of the link count after the call .

The values of mtime, atime, and ctime before and after the call.utime()

Use on files in the /G directory is also audited.

Table 38 Guardian Procedure Calls Audited When Used With Audited Filesets

Attributes or Actions AuditedProcedure Call

Resolution of a supplied pathname to a regular file in an audited fileset; use of an internal

OSS filename; all Guardian file audit attributes.

FILE_OPEN_

SPT_FILE_OPEN

Resolution of a supplied pathname to a regular file in an audited fileset; use of an internal

OSS filename; all Guardian file audit attributes.

PROCESS_SPAWN_

Table 39 Guardian Procedure Calls Audited When Used for Process Control

Attributes or Actions AuditedProcedure Call

The value of the open flags and the value of the file mode before and after the callFILE_OPEN_

SPT_FILE_OPEN

The process name and the value of the OSS user ID and group IDPROCESS_SPAWN_

Considerations for File Auditing

The /G and/E directories and Network file System (NFS) filesets cannot be audited. Audited filesets

cannot be mounted for NFS client use. By default, Restricted-access filesets are audited.

Prior to the J06.15 and H06.26 RVUs:

• OSS sockets function calls such as connect() are not audited.

• The chdir() and chroot() function calls are not audited. The method used to audit

pathnames uses absolute names from the system root directory, so these functions do not

require auditing.

Beginning with the J06.15 and H06.26 RVUs:

• The connect() function is audited for file operations in OSS SEEP-protected filesets.

• The chdir() and chroot() functions are audited for file operations in OSS SEEP-protected

filesets.

For those file operations that involve OSS SEEP consultation, the audit record is generated with

the final ruling after the OSS SEEP consultation. (For a list of all OSS SEEP operations, see “OSS

SEEP System and Library Calls” (page 276).)

The pipe() function call is not audited because its effects are transitory.

When a directory that is a component of one or more fileset mount point pathnames is renamed,

that renaming must be propagated to all of the affected filesets. This propagation is not part of the

Security Auditing of OSS files 255