The following events
record actions related to the control of processes in the operating system.
The majority of these events
can be expected to occur frequently during
normal use of the system.
Therefore, the presence of these events in the log file does not automatically
indicate a security problem.
However, malicious users may try to use the
setgid
or
setuid
system calls to read data that
they are not normally allowed to access.
You may want to audit the
set_gid
and
set_uid
events to ensure that these system calls are always being used
correctly.
Process control events
| Event | Description | Manual page | Object audit |
|---|---|---|---|
| exec | execute an object | exec(2) | N |
| exit | terminate a process | exit(2), _lwp_exit(2) | N |
| kill | post a signal | kill(2), _lwp_kill(2), sigsendset(2) | N |
| fork | create a new process | vfork(2), _lwp_create(2), fork(2), fork1(2), forkall(2) | N |
| set_gid | change group ID | setgid(2) | N |
| set_grps | set multiple groups | setgroups(2) | N |
| set_pgrps | set process groups | setpgrp(2) | N |
| set_sid | assign a session ID | setsid(2) | N |
| set_uid | change user ID | setuid(2) | N |