Event selection

Edit online

Event selection must maintain a balance between insufficient to too much detail.

The set of auditable events on the system defines which occurrences can actually be audited and the granularity of the auditing provided. The auditable events must cover the security-relevant events on the system, as defined previously. The level of detail you use for auditable event definition must maintain a balance between insufficient detail, which makes it difficult for the administrator to understand the selected information, and too much detail, which leads to excessive information collection. The definition of events takes advantage of similarities in detected events. For the purpose of this discussion, a detected event is any single instance of an auditable event; for instance, a given event might be detected in various places. The underlying principle is that detected events with similar security properties are selected as the same auditable event. The following list shows a classification of security policy events:

  • Subject Events
    • Process creation
    • Process deletion
    • Setting subject security attributes: user IDs, group IDs
    • Process group, control terminal
  • Object Events
    • Object creation
    • Object deletion
    • Object open (including processes as objects)
    • Object close (including processes as objects)
    • Setting object security attributes: owner, group, ACL
  • Import/Export Events
    • Importing or exporting an object
  • Accountability Events
    • Adding a user, changing user attributes in the password database
    • Adding a group, changing group attributes in the group database
    • User login
    • User logoff
    • Changing user authentication information
    • Trusted path terminal configuration
    • Authentication configuration
    • Auditing administration: selecting events and audit trails, switching on or off, defining user auditing classes
  • General System Administration Events
    • Use of privilege
    • File system configuration
    • Device definition and configuration
    • System configuration parameter definition
    • Normal system IPL and shutdown
    • RAS configuration
    • Other system configuration
    • Starting the audit subsystem
    • Stopping the audit subsystem
    • Querying the audit subsystem
    • Resetting the audit subsystem
  • Security Violations (potential)
    • Access permission refusals
    • Privilege failures
    • Diagnostically detected faults and system errors
    • Attempted alteration of the TCB