Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
171172173174175176177178179180
events, and system calls) that affect a particular type of system. An event category consists
of a set of operations (self-auditing events and system calls) that affect a particular aspect
of the system. Once an event category or a profile is selected, all system calls and
self-auditing events associated with the event category or profile are selected. When the
auditing system is installed, a default set of event classification information is provided
in the /etc/audit/audit.conf file. Additional, site-specific classifications and profiles
may also be defined in the /etc/audit/audit_site.conf file.
NOTE:
HP recommends that you audit the following event categories at a minimum:
admin event
login event
moddac self-auditing event
execv, execve
pset event
These event categories are predefined as the basic profile in the /etc/audit/
audit.conf file.
Configure the events you want to audit before you turn on the auditing system. The syntax
for the audevent command is as follows:
# audevent [options]
Changes made by running the audevent command take effect immediately.
The following options are commonly used with the audevent command:
Table 9-4 audevent Command Options
Descriptionaudevent options
Specifies an event to log.-e event
Logs unsuccessful event operations.-F
Displays a complete list of event categories and associated system calls.-l
Logs successful event operations.-P
Specifies the profile of events to log. Profiles are defined in the /etc/audit/
audit.conf file.
-r profile
Changes event or system call audit status.-S or -s system_call
Displays the current status of the selected events or system calls.no option
To configure the admin, login, and modaccess event categories for auditing, enter
the following command:
# audevent -P -F -e admin -e login -e moddac
178 Audit Administration