Auditable events

User authentication events

All of the following events provide valuable information about the users on your system. The bad_auth event records all attempts to login that fail because of an invalid password or logname. A high number of such failures may indicate that someone who does not know a valid logname or password is trying to log in. It is especially important to audit this event if you have dial-up terminal ports on your system. If you choose to audit the bad_auth, event, it must be set in the system-wide event mask, not in a specific user event mask. The event records failed login attempts, and a user event mask takes effect only once a user has successfully logged on.

NOTE: The bad_lvl, and def_lvl events are recorded only in log files generated on systems running UNIX System V Release 4.1 Enhanced Security, or UNIX System V Release 4.2MP, with the Enhanced Security Utilities installed. Unless you are processing a log file from a system running one of these releases, you will not see these events.

User authentication events

Event Description Manual page Object audit
bad_auth bad logname/password login(1) N
bad_lvl bad login level login(1) N
cron cron job cron(1M) N
def_lvl change a user's default level login(1) N
login use a login schema login(1) N
logoff terminate a login session NA N
passwd change password passwd(1) N 

 Event      Description                     Manual page   Object audit
 bad_auth   bad logname/password            login(1)      N
 bad_lvl    bad login level                 login(1)      N
 cron       cron job                        cron(1M)      N
 def_lvl    change a user's default level   login(1)      N
 login      use a login schema              login(1)      N
 logoff     terminate a login session       NA            N
 passwd     change password                 passwd(1)     N
© 1999 The Santa Cruz Operation, Inc. All rights reserved.
UnixWare 7 Release 7.1.1 - 5 November 1999