DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 
Auditable events

Access control events

The following events record actions related to file access, control, and creation. These events can be expected to occur during normal system operations; however, they may indicate a security problem if they occur in unusual patterns. For example, several changes of the access permissions to the same object may indicate that two processes may be attempting to signal each other, based on the accessibility of a file.

Note that much of the security of the system depends on proper use of the access control mechanisms. If access permissions are not set appropriately, it is possible for users to see data that they should not be allowed to view. It is a good idea to audit all events in this group to verify that the system's access permissions are always set appropriately.

Discretionary access control (DAC) events

The events listed in the following table record changes in the DAC permissions for objects (that is, file permissions). Access permissions are set by object owners at their discretion. The file_acl and ipc_acl events are recorded only on systems that have the Access Control List (ACL) Utilities installed.

Discretionary access control events

Event Description Manual page Object audit
dac_mode change mode of an object chmod(2), UNRESOLVED XREF-0 fchmod(S) Y
dac_own_grp change owner or group of an object chown(2), UNRESOLVED XREF-0 fchown(S), UNRESOLVED XREF-0 lchown(S), chgrp(1), chown(1) Y
fd_acl change file access control lists via file descriptor facl(S) Y
file_acl change file access control lists via pathname acl(S) Y
ipc_acl change IPC access control lists aclipc(S) Y

Directory and file access events

The occurrence of directory and file access events are part of the normal activity of a system. However, these events may indicate problems if they occur in unusual patterns. For example, it is possible for two processes to signal each other, based on the accessibility of a file. These signals are used to pass data between the processes in violation of access control permissions. In this case, a process would have an unusual number of access events for the same object, and the events would alternate between success and failure.

Directory and file access events

Event Description Manual page Object audit
access determine accessibility of a file access(S) Y
chg_times change file access and modification times utime(S) Y
open_rd open an object for reading open(S) Y
open_wr open an object for writing open(S) Y
recvfd receive file descriptor NA Y
status get file status stat(2), UNRESOLVED XREF-0 fstat(S) Y

Directory and file creation events

The occurrence of directory and file creation events are part of the normal activity of a system. However, these events may indicate problems if they occur in unusual patterns.

Directory and file creation events

Event Description Manual page Object audit
create create a new filesystem object creat(S) Y
link create a link to an object link(S) Y
mk_dir make a directory mkdir(S) Y
rm_dir remove a directory rmdir(S) Y
unlink unlink an object unlink(S) Y

Symbolic link events

The following events record actions that involve symbolic links. Symbolic links are inodes that contain the pathname of another filesystem object. References to the symbolic link become references to the named object. Symbolic links can be used to create links between objects that span filesystems.

Symbolic link events

Event Description Manual page Object audit
sym_create create a symbolic link symlink(S) Y
sym_status get status of symbolic link UNRESOLVED XREF-0 lstat(S) Y

Change of path events

The following events record actions that involve path changes.

Path change events

Event Description Manual page Object audit
chg_dir change working directory chdir(2), UNRESOLVED XREF-0 fchdir(S) Y
chg_root change root directory chroot(S) Y
chg_nm change filename rename(S) Y


Next topic: System administration events
Previous topic: Selectable events

© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005