Auditable events

System administration events

The following events are triggered by commands or system calls that require privileges and are usually executed only by administrators.

Privileged events

The events represented here are triggered by commands or system calls that administrators use in the normal course of daily operations. These events require privilege, and therefore should only be executed by administrators. In particular, frequent or unusual appearances of the pm_denied event, which indicates a failed operation due to lack of required privilege, could indicate an attempt to subvert system security.

Privileged events

Event Description Manual page Object audit
acct_off disable accounting acct(2) N
acct_on enable accounting acct(2) N
acct_sw switch accounting files acct(2) N
file_priv change privileges on a file filepriv(2) Y
lp_admin administrative use of lp system lpadmin(1M) N
mk_node make a special file mknod(2) Y
mount mount a device or filesystem mount(2) Y
pm_denied failed use of privilege NA N
sched_lk lock a process into memory plock(2), memcntl(2) N
sched_rt real time scheduler operations priocntl(2) N
sched_fp fixed priority scheduler operations priocntl(2) N
sched_fc fixed class scheduler operations priocntl(2) N
sched_ts time-sharing scheduler operations priocntl(2) N
setrlimit set resource limits setrlimit(2) N
tfadmin administrative command tfadmin(1M) N
ulimit resource limits ulimit(2) N
umount unmount a device or filesystem umount(2) Y 

 ---------------------------------------------------------------------------
| Event    | Description                        | Manual page| Object audit|
|----------|------------------------------------|------------|-------------|
| acct_off | disable accounting                 | acct(2)    | N           |
|----------|------------------------------------|------------|-------------|
| acct_on  | enable accounting                  | acct(2)    | N           |
|----------|------------------------------------|------------|-------------|
| acct_sw  | switch accounting files            | acct(2)    | N           |
|----------|------------------------------------|------------|-------------|
| file_priv| change privileges on a file        | filepriv(2)| Y           |
|----------|------------------------------------|------------|-------------|
| lp_admin | administrative use of lp system    | lpadmin(1M)| N           |
|----------|------------------------------------|------------|-------------|
| mk_node  | make a special file                | mknod(2)   | Y           |
|----------|------------------------------------|------------|-------------|
| mount    | mount a device or filesystem       | mount(2)   | Y           |
|----------|------------------------------------|------------|-------------|
| pm_denied| failed use of privilege            | NA         | N           |
|----------|------------------------------------|------------|-------------|
| sched_lk | lock a process into memory         | plock(2)   | N           |
|          |                                    | memcntl(2) |             |
|----------|------------------------------------|------------|-------------|
| sched_rt | real time scheduler operations     | priocntl(2)| N           |
|----------|------------------------------------|------------|-------------|
| sched_fp | fixed priority scheduler operations| priocntl(2)| N           |
|----------|------------------------------------|------------|-------------|
| sched_fc | fixed class scheduler operations   | priocntl(2)| N           |
|----------|------------------------------------|------------|-------------|
| sched_ts | time-sharing scheduler operations  | priocntl(2)| N           |
|----------|------------------------------------|------------|-------------|
| setrlimit| set resource limits                | setrlimit(2| N           |
|----------|------------------------------------|------------|-------------|
| tfadmin  | administrative command             | tfadmin(1M)| N           |
|----------|------------------------------------|------------|-------------|
| ulimit   | resource limits                    | ulimit(2)  | N           |
|----------|------------------------------------|------------|-------------|
| umount   | unmount a device or filesystem     | umount(2)  | Y           |
|----------|------------------------------------|------------|-------------|

MAC administration events

MAC administration events are triggered by commands used to control and display information about security levels attached to devices. These commands are used in the administration of devices and filesystems, so such events are not listed in ``Mandatory access control (MAC) events''.

In general, only the administrators of a system can execute commands that trigger MAC administration events. Administrators are trusted users; therefore, the presence of these events in the log file does not usually indicate security problems. Unprivileged use of commands that generate these events may indicate an attempt to tamper with the system configuration, a serious breach of security.

NOTE: MAC events are recorded only in log files generated on systems running UNIX System V Release 4.1 Enhanced Security, or UNIX System V Release 4.2MP, with the Enhanced Security Utilities installed. Unless you are processing a log file from a system running one of these releases, you will not see these events.

© 1999 The Santa Cruz Operation, Inc. All rights reserved.
UnixWare 7 Release 7.1.1 - 5 November 1999