Fixed events are always audited when auditing is enabled and cannot be altered. Therefore, when auditing is enabled, the system-wide event mask will always contain the fixed events. The fixed events, which are intentionally limited to a subset of all auditable events, include
For each event, the following table lists the event, a brief description of the event, the name of the command or system call that triggers the event, and an indication if the event may be used for object level auditing.
|Event||Description||Manual page||Object audit|
|add_usr||adding user attributes||useradd(ADM)||N|
|add_usr_grp||adding group members||useradd(ADM), usermod(ADM)||N|
|audit_buf||set audit buffer attributes||auditbuf(S)||N|
|audit_ctl||enable or disable auditing||auditoff(ADM), auditon(ADM), auditctl(S)||N|
|audit_evt||set auditable events||auditset(ADM), auditevt(S)||N|
|audit_log||set log file attributes||auditlog(ADM), auditlog(S)||N|
|audit_map||create audit map file||auditmap(ADM)||N|
|date||change the date||adjtime(2), stime(2), settimeofday(S)||N|
|init||change of init state||init(ADM)||N|
|mod_grp||change group information||groupmod(ADM)||N|
|mod_usr||change user information||usermod(ADM)||N|
The audit_buf, audit_ctl, audit_dmp, audit_evt, audit_log, and audit_map events are recorded to ensure that you can always verify the state of the auditing subsystem and the correctness of the log file. The date of an event is an important part of the audit record. Therefore, all changes to the system date (the date event) are recorded to ensure the integrity of the audit records. The add_grp, add_usr, add_usr_grp, mod_grp, and mod_usr events are recorded to ensure that you can always verify the accuracy of the user and group attributes recorded in the audit event log file.
If any of the user or group information changes on the system, the auditor should execute the auditmap command to create new audit map files. However, please note that any modification to the audit map files may result in failure to translate previously recorded audit data. Therefore, you should complete processing of previously recorded data before altering the audit map files.
An audit record generated by a fixed event will always contain the ``common'' data. Fixed events do not involve objects; therefore, no ``object'' data is recorded. auditrpt(ADM) contains a description of the ``unique'' data recorded for each fixed event.