Auditable events

Access control events

The following events record actions related to file access, control, and creation. These events can be expected to occur during normal system operations; however, they may indicate a security problem if they occur in unusual patterns. For example, several changes of the access permissions to the same object may indicate that two processes may be attempting to signal each other, based on the accessibility of a file.

Note that much of the security of the system depends on proper use of the access control mechanisms. If access permissions are not set appropriately, it is possible for users to see data that they should not be allowed to view. It is a good idea to audit all events in this group to verify that the system's access permissions are always set appropriately.

Discretionary access control (DAC) events

The events listed in the following table record changes in the DAC permissions for objects (that is, file permissions). Access permissions are set by object owners at their discretion. The file_acl and ipc_acl events are recorded only on systems that have the Access Control List (ACL) Utilities installed.

Discretionary access control events

Event Description Manual page Object audit
dac_mode change mode of an object chmod(2), fchmod(2) Y
dac_own_grp change owner or group of an object chown(2), fchown(2), lchown(2), chgrp(1), chown(1) Y
file_acl change file access control lists acl(2) Y
ipc_acl change IPC access control lists aclipc(2) Y 

 -------------------------------------------------------------------------
| Event      | Description                     | Manual pag| Object audit|
|------------|---------------------------------|-----------|-------------|
| dac_mode   | change mode of an object        | chmod(2)  | Y           |
|            |                                 | fchmod(2) |             |
|------------|---------------------------------|-----------|-------------|
| dac_own_grp| change owner or group of an     | chown(2)  | Y           |
|            | object                          | fchown(2) |             |
|            |                                 | lchown(2) |             |
|            |                                 | chgrp(1)  |             |
|            |                                 | chown(1)  |             |
|------------|---------------------------------|-----------|-------------|
| file_acl   | change file access control lists| acl(2)    | Y           |
|------------|---------------------------------|-----------|-------------|
| ipc_acl    | change IPC access control lists | aclipc(2) | Y           |
|------------|---------------------------------|-----------|-------------|

Mandatory access control (MAC) events

MAC events record changes to the MAC permissions for objects.

NOTE: MAC events are recorded only in log files generated on systems running UNIX System V Release 4.1 Enhanced Security, or UNIX System V Release 4.2MP, with the Enhanced Security Utilities installed. Unless you are processing a log file from a system running one of these releases, you will not see these events.

Directory and file access events

The occurrence of directory and file access events are part of the normal activity of a system. However, these events may indicate problems if they occur in unusual patterns. For example, it is possible for two processes to signal each other, based on the accessibility of a file. These signals are used to pass data between the processes in violation of access control permissions. In this case, a process would have an unusual number of access events for the same object, and the events would alternate between success and failure.

Directory and file access events

Event Description Manual page Object audit
access determine accessibility of a file access(2) Y
chg_times change file access and modification times utime(2) Y
open_rd open an object for reading open(2) Y
open_wr open an object for writing open(2) Y
recvfd receive file descriptor NA Y
status get file status stat(2), fstat(2) Y 

 --------------------------------------------------------------------------------
| Event    | Description                              | Manual pag| Object audit|
|----------|------------------------------------------|-----------|-------------|
| access   | determine accessibility of a file        | access(2) | Y           |
|----------|------------------------------------------|-----------|-------------|
| chg_times| change file access and modification times| utime(2)  | Y           |
|----------|------------------------------------------|-----------|-------------|
| open_rd  | open an object for reading               | open(2)   | Y           |
|----------|------------------------------------------|-----------|-------------|
| open_wr  | open an object for writing               | open(2)   | Y           |
|----------|------------------------------------------|-----------|-------------|
| recvfd   | receive file descriptor                  | NA        | Y           |
|----------|------------------------------------------|-----------|-------------|
| status   | get file status                          | stat(2)   | Y           |
|          |                                          | fstat(2)  |             |
|----------|------------------------------------------|-----------|-------------|

Directory and file creation events

The occurrence of directory and file creation events are part of the normal activity of a system. However, these events may indicate problems if they occur in unusual patterns.

NOTE: The creation of multilevel directories event (mk_mld) is not shown. This event is recorded only on systems running UNIX System V Release 4.1 Enhanced Security, or UNIX System V Release 4.2MP, with the Enhanced Security Utilities installed. Unless you are processing a log file from a system running one of these releases, you will not see this event.

Directory and file creation events

Event Description Manual page Object audit
create create a new filesystem object creat(2) Y
link create a link to an object link(2) Y
mk_dir make a directory mkdir(2) Y
rm_dir remove a directory rmdir(2) Y
unlink unlink an object unlink(2) Y 

 Event    Description                      Manual page   Object audit
 create   create a new filesystem object   creat(2)      Y
 link     create a link to an object       link(2)       Y
 mk_dir   make a directory                 mkdir(2)      Y
 rm_dir   remove a directory               rmdir(2)      Y
 unlink   unlink an object                 unlink(2)     Y

Symbolic link events

The following events record actions that involve symbolic links. Symbolic links are inodes that contain the pathname of another filesystem object. References to the symbolic link become references to the named object. Symbolic links can be used to create links between objects that span filesystems.

Symbolic link events

Event Description Manual page Object audit
sym_create create a symbolic link symlink(2) Y
sym_status get status of symbolic link lstat(2) Y 

 Event        Description                   Manual page   Object audit
 sym_create   create a symbolic link        symlink(2)    Y
 sym_status   get status of symbolic link   lstat(2)      Y

Change of path events

The following events record actions that involve path changes.

Path change events

Event Description Manual page Object audit
chg_dir change working directory chdir(2), fchdir(2) Y
chg_root change root directory chroot(2) Y
chg_nm change filename rename(2) Y 

 Event      Description                Manual page   Object audit
 chg_dir    change working directory   chdir(2)      Y
                                       fchdir(2)
 chg_root   change root directory      chroot(2)     Y
 chg_nm     change filename            rename(2)     Y
© 1999 The Santa Cruz Operation, Inc. All rights reserved.
UnixWare 7 Release 7.1.1 - 5 November 1999