Fixed events

Fixed events are always audited when auditing is enabled and cannot be altered. Therefore, when auditing is enabled, the system-wide event mask will always contain the fixed events. The fixed events, which are intentionally limited to a subset of all auditable events, include

• all actions relating to the audit subsystem itself

• all attempts to change the system date

• all actions relating to group and user attributes

• all definitions and deletions of MAC level names and LIDs on systems that have the Enhanced Security Utilities installed

  ---

  NOTE: MAC and LID events are recorded only in log files generated on systems running UNIX System V Release 4.1 Enhanced Security, or UNIX System V Release 4.2MP, with the Enhanced Security Utilities installed. Unless you are processing a log file from a system running one of these releases, you will not see these events.

  ---

• changes of init states

For each event, the following table lists the event, a brief description of the event, the name of the command or system call that triggers the event, and an indication if the event may be used for object level auditing.

Fixed events

Event	Description	Manual page	Object audit
add_grp	adding groups	groupadd(1M)	N
add_usr	adding user attributes	useradd(1M)	N
add_usr_grp	adding group members	useradd(1M), usermod(1M)	N
audit_buf	set audit buffer attributes	auditbuf(2)	N
audit_ctl	enable or disable auditing	auditoff(1M), auditon(1M), auditctl(2)	N
audit_dmp	auditdmp failures	auditdmp(2)	N
audit_evt	set auditable events	auditset(1M), auditevt(2)	N
audit_log	set log file attributes	auditlog(1M), auditlog(2)	N
audit_map	create audit map file	auditmap(1M)	N
date	change the date	adjtime(2), stime(2), settimeofday(2)	N
init	change of init state	init(1M)	N
mod_grp	change group information	groupmod(1M)	N
mod_usr	change user information	usermod(1M)	N

 -------------------------------------------------------------------------
| Event      | Description                | Manual page    | Object audit|
|------------|----------------------------|----------------|-------------|
| add_grp    | adding groups              | groupadd(1M)   | N           |
|------------|----------------------------|----------------|-------------|
| add_usr    | adding user attributes     | useradd(1M)    | N           |
|------------|----------------------------|----------------|-------------|
| add_usr_grp| adding group members       | useradd(1M)    | N           |
|            |                            | usermod(1M)    |             |
|------------|----------------------------|----------------|-------------|
| audit_buf  | set audit buffer attributes| auditbuf(2)    | N           |
|------------|----------------------------|----------------|-------------|
| audit_ctl  | enable or disable auditing | auditoff(1M)   | N           |
|            |                            | auditon(1M)    |             |
|            |                            | auditctl(2)    |             |
|------------|----------------------------|----------------|-------------|
| audit_dmp  | auditdmp failures          | auditdmp(2)    | N           |
|------------|----------------------------|----------------|-------------|
| audit_evt  | set auditable events       | auditset(1M)   | N           |
|            |                            | auditevt(2)    |             |
|------------|----------------------------|----------------|-------------|
| audit_log  | set log file attributes    | auditlog(1M)   | N           |
|            |                            | auditlog(2)    |             |
|------------|----------------------------|----------------|-------------|
| audit_map  | create audit map file      | auditmap(1M)   | N           |
|------------|----------------------------|----------------|-------------|
| date       | change the date            | adjtime(2)     | N           |
|            |                            | stime(2)       |             |
|            |                            | settimeofday(2)|             |
|------------|----------------------------|----------------|-------------|
| init       | change of init state       | init(1M)       | N           |
|------------|----------------------------|----------------|-------------|
| mod_grp    | change group information   | groupmod(1M)   | N           |
|------------|----------------------------|----------------|-------------|
| mod_usr    | change user information    | usermod(1M)    | N           |
|------------|----------------------------|----------------|-------------|

The audit_buf, audit_ctl, audit_dmp, audit_evt, audit_log, and audit_map events are recorded to ensure that you can always verify the state of the auditing subsystem and the correctness of the log file. The date of an event is an important part of the audit record. Therefore, all changes to the system date (the date event) are recorded to ensure the integrity of the audit records. The add_grp, add_usr, add_usr_grp, mod_grp, and mod_usr events are recorded to ensure that you can always verify the accuracy of the user and group attributes recorded in the audit event log file.

If any of the user or group information changes on the system, the auditor should execute the auditmap command to create new audit map files. However, please note that any modification to the audit map files may result in failure to translate previously recorded audit data. Therefore, you should complete processing of previously recorded data before altering the audit map files.

An audit record generated by a fixed event will always contain the ``common'' data. Fixed events do not involve objects; therefore, no ``object'' data is recorded. auditrpt(1M) contains a description of the ``unique'' data recorded for each fixed event.