DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 
Overview of the auditing subsystem

How auditing works

The auditing subsystem is an event-based system, in which data is recorded whenever an audited event occurs. An event represents a single action that may affect the security of the system. Events are triggered by either system calls or user-level commands. For auditable events triggered by system calls, the kernel writes the audit data in the format of an audit record. For auditable events triggered by user-level commands, the command invokes the audit system call, auditdmp(2), to record the audit record.

As the audit administrator, you select which events are to be audited. The selected events are recorded and maintained in data structures referred to as event masks. The following subsections explain the use of event masks and the kernel processing required to determine when an audit record is generated.


Next topic: Audit event masks
Previous topic: The purpose of auditing

© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005