Audit events
An audit event is any security-relevant occurrence in the system. A security-relevant occurrence can be a change to the security state of the system, an attempted or actual violation of the system access control or accountability security policies, or both. The programs and kernel modules that detect audit events report these events to the system audit logger that runs as part of the kernel and can be accessed either by using a subroutine (for trusted program auditing) or within a kernel procedure call (for supervisor state auditing). The information that is reported in an audit event includes the name of the event, the success or failure of the event, and any additional event-specific information that is related to security auditing.
To audit an activity, you must identify the command or process that initiates the audit event and ensure that the event is listed in the /etc/security/audit/events file for your system. You can facilitate the assignment of audit events to users by combining similar events into audit classes. These audit classes are defined in the classes stanza of the /etc/security/audit/config file.
The following table lists some of the commonly used audit events that occur in the AIX® operation system:
| User or system call | Audit event | Description |
|---|---|---|
| fork | PROC_Create | Specifies that a process is created. |
| exit | PROC_Delete | Specifies that the calling process has ended. |
| exec | PROC_Execute | Runs a new program. |
| setuidx | PROC_RealUID | Sets the user ID of the process. |
| PROC_AuditID | ||
| PROC_SetUserIDs | ||
| setgidx | PROC_RealGID | Sets the process group ID. |
| setroles | PROC_SetRoles | Entry point for setting role IDs. |
| accessx | FILE_Accessx | Determines the accessibility of a file. |
| statacl | FILE_StatAcl | Retrieves the access control information of a file. |
| revoke | FILE_Revoke | Revokes access to a file by all processes. |
| frevoke | FILE_Frevoke | Revokes access to a file by other processes. |
| usrinfo | PROC_Environ | Changes a part of user information data. |
| setrlimit | PROC_Limits | Controls consumption of maximum system resources. |
| nice | PROC_SetPri | Specifies the use of the nice function. |
| setpri | PROC_Setpri | Sets fixed priority for processes. |
| setpriv | PROC_Privilege | Changes one or more privilege vectors for processes. |
| settimer | PROC_Settimer | Sets current value for a specified system-wide timer. |
| adjtime | PROC_Adjtime | Changes the system clock. |
| ptrace | PROC_Debug | Traces the execution of another process. |
| kill | PROC_Kill | Sends a signal to a process or a group of processes. |
| setpgid | PROC_setpgid | Sets the process group ID. |
| ld_loadmodule | PROC_Load | Loads a new object module into the process address space. |
| PROC_LoadError | Indicates that the object loading failed. | |
| setgroups | PROC_SetGroups | Changes the process concurrent group set. |
| sysconfig | PROC_Sysconfig | Captures the action on kernel or system configuration. |
| audit | AUD_It | Starts and stops the auditing operation. It also queries the audit status. |
| auditbin | AUD_Bin_Def | Modifies the auditbin system call. |
| auditevents | AUD_Events | Modifies events. |
| auditobj | AUD_Objects | Modifies the auditobj system call. |
| auditproc | AUD_Proc | Gets or sets the audit state of a process. |
| acct | ACCT_Disable | Disables system accounting. |
| ACCT_Enable | Enables system accounting. | |
| open and create | FILE_Open | Calls the open subroutine. |
| read | FILE_Read | Reads data from the file descriptor. |
| write | FILE_Write | Writes data to the file descriptor. |
| close | FILE_Close | Closes the open file descriptor. |
| link | FILE_Link | Creates new directory entry for a file system object. |
| unlink | FILE_Unlink | Removes a file system object. |
| rename | FILE_Rename | Changes the name of a file system object. |
| chown | FILE_Owner | Changes file ownership. |
| chmod | FILE_Mode | Changes file mode. |
| fchmod | FILE_Fchmod | Changes file permission of a file descriptor. |
| fchown | FILE_Fchown | Changes ownership of a file descriptor. |
| truncate | FILE_Truncate | Changes the length of regular files or shared memory object. |
| symlink | FILE_Symlink | Creates a symbolic link. |
| pipe | FILE_Pipe | Creates an unnamed pipe. |
| mknod | FILE_Mknod | Creates a device special file or a first-in-first-out (FIFO) special file. |
| fcntl | FILE_Dupfd | Duplicates the file descriptor. |
| fscntl | FS_Extend | Extends the file system. |
| mount | FS_Mount | Connects file system to a named directory. |
| umount | FS_Umount | Disconnects the mounted file system. |
| chacl | FILE_Acl | Changes the access control list (ACL) of a file. |
| fchacl | FILE_Facl | Changes ACL of a file descriptor. |
| chpriv | FILE_Privilege | Sets the privilege control list (PCL) of a file path name. |
| FILE_Chpriv | Changes the PCL. | |
| FILE_Fchpriv | Changes the PCL of a file descriptor. | |
| chdir | FS_Chdir | Changes the current working directory. |
| fchdir | FS_Fchdir | Changes the current working directory by using a file descriptor. |
| chroot | FS_Chroot | Changes meaning of the root directory (/) for the current process. |
| rmdir | FS_Rmdir | Removes the directory object. |
| mkdir | FS_Mkdir | Creates a directory. |
| utimes | FILE_Utimes | Calls the utimes subroutine. |
| stat | FILE_Stat | Calls the stat subroutine. |
| msgget | MSG_Create | Creates a message queue. |
| msgrcv | MSG_Read | Receives message from a message queue. |
| msgsnd | MSG_Write | Sends message to a message queue. |
| msgctl | MSG_Delete | Removes a message queue. |
| MSG_Owner | Changes ownership and access right of a message queue. | |
| MSG_Mode | Queries access rights of a message queue. | |
| semget | SEM_Create | Creates a semaphore set. |
| semop | SEM_Op | Increases or decreases one or more semaphores. |
| semctl | SEM_Delete | Deletes a semaphore set. |
| SEM_Owner | Changes ownership and access rights of a semaphore set. | |
| SEM_Mode | Queries semaphore set access rights. | |
| shmget | SHM_Create | Creates a new shared memory segment. |
| shmat | SHM_Open | Calls the shmat subroutine by using the Open option. |
| shmat | SHM_Detach | Calls the shmat subroutine by using the Detach option. |
| shmctl | SHM_Close | Closes shared memory segment. |
| SHM_Owner | Changes ownership and access rights for shared memory segment. | |
| SHM_Mode | Queries access rights of shared memory segment. | |
| tcpip user level | TCPIP_connect | Calls the connect subroutine. |
| TCPIP_data_out | Data sent. | |
| TCPIP_data_in | Data received. | |
| TCPIP_set_time | Logs the attempt to change system time through network. | |
| tcpip kernel level | TCP_ksocket | Specifies that a socket is created. |
| TCP_ksocketpair | Specifies that a pair of connected sockets is created. | |
| TCP_kclose | Specifies that the socket is closed. | |
| TCP_ksetopt | Specifies that the socket options are set. | |
| TCP_kbind | Specifies that a name is bound to a socket. | |
| TCP_klisten | Listens for a socket connection. | |
| TCP_kconnect | Specifies that a connection between two sockets is created. | |
| TCP_kaccept | Accepts a new socket and specifies that a connection on a socket is created. | |
| TCP_kshutdown | Specifies that all send and receive operations of sockets are shut down. | |
| TCP_ksend | Specifies that messages are sent from a connected socket. | |
| TCP_kreceive | Specifies that messages are received from a connected socket. | |
| tsm | USER_Login | Logs in the user to the system. |
| PORT_Locked | Indicates that the port is locked because of invalid login attempts. | |
| TERM_Logout | Logs the user out of the system. | |
| rlogind or telnetd | USER_Exit | Indicates that the user is logged out. |
| usrck | USER_Check | Verifies the accuracy of a user definition. |
| USRCK_Error | ||
| USER_Locked | User locked after failed login attempts. | |
| logout | USER_Logout | Stops all processes on a port. |
| chpass | USER_Chpass | User password changed. |
| chsec | PORT_Change | Indicates a change in port attribute values. |
| USER_Unlocked | User unlocked by administrator. | |
| LPA_Change | Password algorithm changed. | |
| SECORDER_Change | Change secorder in /etc/nscontrol.conf. | |
| chuser | USER_Change | Changes user attributes. |
| rmuser | USER_Remove | Removes a user. |
| mkuser | USER_Create | Creates a user. |
| setgroups | USER_SetGroups | Sets the supplementary group ID of the current process. |
| setsenv | USER_SetEnv | Sets the environment variable. |
| su | USER_SU | Changes the user ID that is associated with a session. |
| grpck | GROUP_User | Removes non-existent users from the group. |
| GROUP_Adms | Removes non-existent administrative users from the group. | |
| chgroup | GROUP_Change | Changes the group attributes. |
| mkgroup | GROUP_Create | Creates a group. |
| rmgroup | GROUP_Remove | Removes a group. |
| passwd | PASSWORD_Change | Changes a user password. |
| pwdadm | PASSWORD_Flags | Changes an administrator password. |
| pwdck | PASSWORD_Check | Verifies the accuracy of local authentication information. |
| PASWORD_Ckerr | ||
| startsrc | SRC_Start | Starts a system resource controller. |
| stopsrc | SRC_Stop | Stops a system resource controller. |
| addssys | SRC_Addssys | Adds the SRCsubsys definition to the subsystem object class. |
| chssys | SRC_Chssys | Changes a subsystem definition in the subsystem object class. |
| addserver | SRC_Addserver | Adds a subserver definition to the subserver object class. |
| chserver | SRC_Chserver | Changes a subserver definition in the subserver object class. |
| rmsys | SRC_Delssys | Removes a subsystem definition from the subsystem object class. |
| rmserver | SRC_Delserver | Removes a subserver definition from the Subserver type object class. |
| enq | ENQUE_admin | Queues a file. |
| qdaemon | ENQUE_exec | Schedules queued jobs. |
| sendmail | SENDMAIL_Config | Routes the mail for local or network delivery. |
| SENDMAIL_ToFile | ||
| at | AT_JobAdd | Removes or adds the commands that are scheduled to be run by using the at command. |
| At_JobRemove | ||
| cron | CRON_JobRemove | Removes or adds the commands that are scheduled to be run by using the cron command. |
| CRON_JobAdd | ||
| CRON_Start | Indicates start of a cron job. | |
| CRON_Finish | Indicates end of a cron job. | |
| nvload | NVRAM_Config | Specifies access to the non-volatile random-access memory (NVRAM). |
| cfgmgr | DEV_Configure | Configures devices. |
| chdev and mkdev | DEV_Change | Specifies a change in device. |
| mkdev | DEV_Create | Specifies that the device is created. |
| DEV_Start | Specifies that the device is started. | |
| installp | INSTALLP_Inst | Installs available software products in a compatible installation package. |
| INSTALLP_Exec | ||
| rmdev | DEV_Stop | Specifies that the device is stopped. |
| DEV_Unconfigure | Specifies that the device is unconfigured. | |
| DEV_Remove | Specifies that the device has been removed. | |
| lchangelv, lextendlv, and lreducelv | LVM_ChangeLV | Specifies that the logical volume has been changed. |
| lchangepv, ldeletepv, and linstallpv | LVM_ChangeVG | Specifies that the volume group has been changed. |
| lcreatelv | LVM_CreateLV | Specifies that a logical volume has been added to the system. |
| lcreatevg | LVM_CreateVG | Specifies that a volume group has been created in the system. |
| ldeletepv | LVM_DeleteVG | Specifies that the volume group has been removed from the system. |
| rmlv | LVM_DeleteLV | Specifies that the logical volume has been removed from the system. |
| lvaryoffvg | LVM_VaryoffVG | Deactivates a volume group. |
| lvaryonvg | LVM_VaryonVG | Activates a volume group. |
| Logical volume operations | LVM_AddLV | Adds a logical volume to an existing volume group. |
| LVM_KDeleteLV | Removes a logical volume from an existing volume group. | |
| LVM_ExtendLV | Increases the size of a logical volume by adding deallocated physical partitions from the volume group. | |
| LVM_ReduceLV | Decreases the size of a logical volume. | |
| LVM_KChangeLV | Changes existing logical volume. | |
| LVM_AvoidLV | Does not allow a logical volume to perform specific operations. | |
| Physical volume operations | LVM_MissingPV | Adds a missing physical volume to an existing volume group. |
| LVM_AddPV | Adds a physical volume to an existing volume group | |
| LVM_AddMissPV | Adds a missing physical volume to an existing volume group. | |
| LVM_DeletePV | Deletes a physical volume from an existing volume group. | |
| LVM_RemovePV | Removes a physical volume from an existing volume group. | |
| LVM_AddVGSA | Adds a volume group status area (VGSA) to an existing physical volume. | |
| LVM_DeleteVGSA | Removes a VGSA from an existing physical volume. | |
| Volume group operations | LVM_SetupVG | Sets up the volume group by defining logical volumes and by specifying information about the VGSA and mirror write consistency cache (MWCC). |
| LVM_DefineVG | Defines the volume group to the kernel. | |
| LVM_KDeleteVG | Deletes a volume group from the kernel. | |
| Backup and restore operations | BACKUP_Export | Captures the progress of the backup operation. |
| RESTORE_Import | Captures the progress of the restore operation. | |
| shell | USER_Shell | Captures the user tty information. |
| reboot | USER_Reboot | Captures the event of system reboot. |
| PROC_Reboot | Captures the event of process reboot. The reboot subroutine restarts the system or repeats the initial program load (IPL) operation on the system. | |
| /usr/sbin/init | INIT_Start | A process in the init tab is started. |
| INIT_End | A process in the init tab is ended. | |
| /usr/sbin/setsecattr | PROC_Change | A process privilege is changed. |
| mkrole | ROLE_Create | A new role is created. |
| chrole | Role_Change | The attributes of an existing role is changed. |
| rmrole | Role_Remove | A role is removed. |