|
|
The following events are triggered by commands or system calls that require privileges and are usually executed only by administrators.
The events represented here are triggered by commands or system calls that administrators use in the normal course of daily operations. These events require privilege, and therefore should only be executed by administrators. In particular, frequent or unusual appearances of the pm_denied event, which indicates a failed operation due to lack of required privilege, could indicate an attempt to subvert system security.
Privileged events
| Event | Description | Manual page | Object audit |
|---|---|---|---|
| acct_off | disable accounting | acct(S) | N |
| acct_on | enable accounting | acct(S) | N |
| acct_sw | switch accounting files | acct(S) | N |
| file_priv | change privileges on a file | filepriv(S) | Y |
| lp_admin | administrative use of lp system | lpadmin(ADM) | N |
| mk_node | make a special file | mknod(S) | Y |
| mount | mount a device or filesystem | mount(S) | Y |
| pm_denied | failed use of privilege | NA | N |
| sched_lk | lock a process into memory | plock(2), memcntl(S) | N |
| sched_rt | real time scheduler operations | priocntl(S) | N |
| sched_fp | fixed priority scheduler operations | priocntl(S) | N |
| sched_fc | fixed class scheduler operations | priocntl(S) | N |
| sched_ts | time-sharing scheduler operations | priocntl(S) | N |
| setrlimit | set resource limits | UNRESOLVED XREF-0 setrlimit(S) | N |
| tfadmin | administrative command | tfadmin(ADM) | N |
| ulimit | resource limits | ulimit(S) | N |
| umount | unmount a device or filesystem | umount(S) | Y |