Using the Audit Manager

Choosing audit events

In the Audit Manager, select Events -> Modify. Use the arrow keys to move between event types. Use <Space> to toggle between ``Y'' (yes, audit) and ``N'' (no, do not audit). The event types are explained in ``Audit event descriptions''.

This event mask can be modified and dynamically altered for the current audit session, and it can be written to the parameter file to take effect on future audit sessions.

Audit event descriptions

Event type Description
A Startup/Shutdown system startups (boots) and shutdowns
B Login/Logoff successful and unsuccessful login attempts
C Process Create/Delete creation and termination of processes
D Make Object Available file, message, semaphore opens and filesystem mounts
E Map Object to Subject program execution
F Object Modification file writes
G Make Object Unavailable file, message, semaphore closes and filesystem unmounts
H Object Creation file/message/semaphore creation
I Object Deletion file/message/semaphore deletion
J DAC Changes file, message, semaphore permission or ownership changes
K DAC Denials denied permissions
L Admin/Operator Actions system administrator and operator tasks
M Insufficient Authorization tasks that failed due to insufficient privileges
N Resource Denials missing files and insufficient memory
O IPC Functions sending signals and messages to processes
P Process Modifications effective identity or working directory changes
Q Audit Subsystem Events system auditing enable, disable, modification
R Database Events security data changes and integrity
S Subsystem Events use of protected subsystems
T Use of Authorization superuser-only actions

Next topic: Auditing individual users and groups
Previous topic: Collecting audit data

© 2003 Caldera International, Inc. All rights reserved.
SCO OpenServer Release 5.0.7 -- 11 February 2003