audit.conf(4)audit.conf(4)NAME
audit.conf, audit_site.conf - files containing event mapping informa‐
tion and site-specific event mapping information
DESCRIPTION
Files and store the event mapping information that can be used by and
An event is a particular system operation. It may be either a self-
auditing event or a system call. Auditable events are classified into
several event categories and/or profiles. Events and system calls may
have aliases.
When the auditing system is installed, a default set of event mapping
information is provided in In order to meet site-specific requirements,
users may also define event categories and profiles in
In general, an event category is defined as a set of operations that
affect a particular aspect of the system. A profile is defined as a
set of operations that affect a particular type of system. With these
classifications, a set of events can be selected when using or by spec‐
ifying the event category or the profile that the events are associated
with.
Here is the syntax of the directives in and
Event categories are defined using the directive for base events and
the directive for event aliases.
Base events are events that are pre-defined by the HP-UX operating sys‐
tem. They are always associated with self-auditing events that have
the same name and/or with a list of system calls with the names that
are referred to by the HP-UX auditing system.
Event aliases, distinct from base events, are combinations of base
events, self-auditing events, system calls, and system call aliases.
The system call name referred to by the auditing system usually matches
the real system call name with a few exceptions. If the system call is
one of these exceptions, an alias name may be defined using the direc‐
tive, and the alias name can be used by and system call level selec‐
tion. For example, the system call is referred to as the system call
by the auditing system. The interface of is not publicly exported, but
the security relevant information of this system call is described in
this file documents the security relevant information for all system
calls that have names beginning with a period
Profiles are defined using the directive. Profiles can be combinations
of any events.
In only and directives are allowed; names picked for or must begin with
a uppercase character and must have at least one lowercase character.
Adding or at the end of an event name indicates only include successful
or failed operations.
EXAMPLES
Here are some example entries that could be in
Selecting for auditing enables audit for the system calls (for both
pass and fail), (for pass only), and (for fail only). Note that con‐
tains and the fail events covered under Selecting this profile causes
to be audited for both pass and fail, and to be audited for fail, and
to not be audited at all.
AUTHOR
was developed by HP.
FILES
File containing event mapping information
File containing audit information description for
HP-UX internal system calls which are not publicly supported
File containing site-specific event
mapping information
SEE ALSOaudevent(1M), audisp(1M).
audit.conf(4)