NAME
audevent — change or display event or system call audit status
SYNOPSIS
audevent
[-P|-p]
[-F|-f]
[-E]
[[-e
event] ...]
[-S]
[[-s
syscall] ...]
audevent
[-l]
DESCRIPTION
audevent
changes or displays the auditing status of the given events or system calls.
The
event
is used to specify names associated with certain self-auditing commands;
syscall
is used to select related system calls.
If neither
-P,
-p,
-F,
nor
-f
is specified, the current status of the selected events
or system calls is displayed.
If the
-E
option is supplied, it is redundant to specify events with the
-e
option.
This also applies to the
-S
and
-s
options.
If no event is specified,
all events are selected.
If no system call is
specified, all system calls associated with the selected
events are selected.
audevent
takes effect immediately.
However, the events and system calls specified are audited only
when called by a user currently being audited (see
audusr(1M)).
If
-l
is specified, a list of valid events and their associated
system calls (if any) are displayed.
This option may be helpful when deciding which
-e
or
-s
options to use.
Note:
The set of audited system calls and corresponding audit events varies
frequently as HP-UX evolves.
The system call name referred to by the auditing system usually
matches the real system call name, but with a few exceptions.
Some important known exceptions are provided in
System Call Name Mapping Execptions.
Only the super-user can change or display audit status.
Options
audevent
recognizes the following options and command-line arguments:
- -P
Audit successful events or system calls.
- -p
Do not audit successful events or system calls.
- -F
Audit failed events or system calls.
- -f
Do not audit failed events or system calls.
- -E
Select all events for change or display.
- -e event
Select
event
for change or display.
- -S
Select all system calls for change or display.
- -s syscall
Select
syscall
for change or display.
- -l
Display a list of valid events and their associated system calls.
This option should not be used with any other options.
The following is a list of the valid
event
types or categories:
- create
Object creation.
For example, file creation, directory creation, and other
object creation.
- delete
Object deletion.
For example, file deletion, directory deletion, and
other object deletion.
- readdac
Discretionary access control (DAC)
information reading events.
- moddac
DAC modification events.
- modaccess
Non-DAC modification events.
- open
Object opening.
For example, file open and other object open.
- close
Object closing.
For example, file close and other object close.
- process
Process operations.
- removable
Removable media events.
For example, mounting and unmounting events.
- login
Login and logout events not related to any particular
system call.
- admin
All administrative and privileged events.
- ipccreat
Interprocess Communication (IPC) object creation.
- ipcopen
IPC object opening.
- ipcclose
IPC object deletion.
- ipcdgram
IPC Datagram transactions.
- uevent1
User-defined event 1 (for self-auditing records).
- uevent2
User-defined event 2 (for self-auditing records).
- uevent3
User-defined event 3 (for self-auditing records).
System Call Name Mapping Exceptions
The following are some important known system call name
mapping exceptions:
- sem_open()
is referred to as
ksem_open().
- sem_unlink()
is referred to as
ksem_unlink().
- sem_close()
is referred to as
ksem_close().
- gethostname(),
sethostname(),
uname(),
ustat(),
setuname()
are all referred to as
utssys()
by the auditing system.
WARNINGS
All modifications made to the auditing system are lost upon reboot.
To make the changes permanent, set
AUDEVENT_ARGS1,
AUDEVENT_ARGS2,
or
AUDEVENT_ARGS3
in
/etc/rc.config.d/auditing.
AUTHOR
audevent
was developed by HP.
