Auditable events

Fixed events

Fixed events are always audited when auditing is enabled and cannot be altered. Therefore, when auditing is enabled, the system-wide event mask will always contain the fixed events. The fixed events, which are intentionally limited to a subset of all auditable events, include

all actions relating to the audit subsystem itself
all attempts to change the system date
all actions relating to group and user attributes
changes of init states

The fixed events represent actions that must be recorded to ensure the integrity and accuracy of the data in the audit event log file. Recording only the fixed events will not give you a complete record of all actions that affect system security.

For each event, the following table lists the event, a brief description of the event, the name of the command or system call that triggers the event, and an indication if the event may be used for object level auditing.

Fixed events

Event Description Manual page Object audit

add_grp adding groups groupadd(ADM) N

add_usr adding user attributes useradd(ADM) N

add_usr_grp adding group members useradd(ADM), usermod(ADM) N

audit_buf set audit buffer attributes auditbuf(S) N

audit_ctl enable or disable auditing auditoff(ADM), auditon(ADM), auditctl(S) N

audit_dmp auditdmp failures auditdmp(S) N

audit_evt set auditable events auditset(ADM), auditevt(S) N

audit_log set log file attributes auditlog(ADM), auditlog(S) N

audit_map create audit map file auditmap(ADM) N

date change the date adjtime(2), stime(2), settimeofday(S) N

init change of init state init(ADM) N

mod_grp change group information groupmod(ADM) N

mod_usr change user information usermod(ADM) N

Event	Description	Manual page	Object audit
add_grp	adding groups	groupadd(ADM)	N
add_usr	adding user attributes	useradd(ADM)	N
add_usr_grp	adding group members	useradd(ADM), usermod(ADM)	N
audit_buf	set audit buffer attributes	auditbuf(S)	N
audit_ctl	enable or disable auditing	auditoff(ADM), auditon(ADM), auditctl(S)	N
audit_dmp	auditdmp failures	auditdmp(S)	N
audit_evt	set auditable events	auditset(ADM), auditevt(S)	N
audit_log	set log file attributes	auditlog(ADM), auditlog(S)	N
audit_map	create audit map file	auditmap(ADM)	N
date	change the date	adjtime(2), stime(2), settimeofday(S)	N
init	change of init state	init(ADM)	N
mod_grp	change group information	groupmod(ADM)	N
mod_usr	change user information	usermod(ADM)	N

The audit_buf, audit_ctl, audit_dmp, audit_evt, audit_log, and audit_map events are recorded to ensure that you can always verify the state of the auditing subsystem and the correctness of the log file. The date of an event is an important part of the audit record. Therefore, all changes to the system date (the date event) are recorded to ensure the integrity of the audit records. The add_grp, add_usr, add_usr_grp, mod_grp, and mod_usr events are recorded to ensure that you can always verify the accuracy of the user and group attributes recorded in the audit event log file.

If any of the user or group information changes on the system, the auditor should execute the auditmap command to create new audit map files. However, please note that any modification to the audit map files may result in failure to translate previously recorded audit data. Therefore, you should complete processing of previously recorded data before altering the audit map files.

An audit record generated by a fixed event will always contain the ``common'' data. Fixed events do not involve objects; therefore, no ``object'' data is recorded. auditrpt(ADM) contains a description of the ``unique'' data recorded for each fixed event.