Audit events

An audit event is any security-relevant occurrence in the system. A security-relevant occurrence can be a change to the security state of the system, an attempted or actual violation of the system access control or accountability security policies, or both. The programs and kernel modules that detect audit events report these events to the system audit logger that runs as part of the kernel and can be accessed either by using a subroutine (for trusted program auditing) or within a kernel procedure call (for supervisor state auditing). The information that is reported in an audit event includes the name of the event, the success or failure of the event, and any additional event-specific information that is related to security auditing.

To audit an activity, you must identify the command or process that initiates the audit event and ensure that the event is listed in the /etc/security/audit/events file for your system. You can facilitate the assignment of audit events to users by combining similar events into audit classes. These audit classes are defined in the classes stanza of the /etc/security/audit/config file.

The following table lists some of the commonly used audit events that occur in the AIX® operation system:

Table 1. Audit events
User or system call Audit event Description
fork PROC_Create Specifies that a process is created.
exit PROC_Delete Specifies that the calling process has ended.
exec PROC_Execute Runs a new program.
setuidx PROC_RealUID Sets the user ID of the process.
PROC_AuditID
PROC_SetUserIDs
setgidx PROC_RealGID Sets the process group ID.
accessx FILE_Accessx Determines the accessibility of a file.
statacl FILE_StatAcl Retrieves the access control information of a file.
revoke FILE_Revoke Revokes access to a file by all processes.
frevoke FILE_Frevoke Revokes access to a file by other processes.
usrinfo PROC_Environ Changes a part of user information data.
setrlimit PROC_Limits Controls consumption of maximum system resources.
nice PROC_SetPri Specifies the use of the nice function.
setpri PROC_Setpri Sets fixed priority for processes.
setpriv PROC_Privilege Changes one or more privilege vectors for processes.
settimer PROC_Settimer Sets current value for a specified system-wide timer.
adjtime PROC_Adjtime Changes the system clock.
ptrace PROC_Debug Traces the execution of another process.
kill PROC_Kill Sends a signal to a process or a group of processes.
setpgid PROC_setpgid Sets the process group ID.
ld_loadmodule PROC_Load Loads a new object module into the process address space.
PROC_LoadError Indicates that the object loading failed.
setgroups PROC_SetGroups Changes the process concurrent group set.
sysconfig PROC_Sysconfig Captures the action on kernel or system configuration.
audit AUD_It Starts and stops the auditing operation. It also queries the audit status.
auditbin AUD_Bin_Def Modifies the auditbin system call.
auditevents AUD_Events Modifies events.
auditobj AUD_Objects Modifies the auditobj system call.
auditproc AUD_Proc Gets or sets the audit state of a process.
acct ACCT_Disable Disables system accounting.
ACCT_Enable Enables system accounting.
open and create FILE_Open Calls the open subroutine.
read FILE_Read Reads data from the file descriptor.
write FILE_Write Writes data to the file descriptor.
close FILE_Close Closes the open file descriptor.
link FILE_Link Creates new directory entry for a file system object.
unlink FILE_Unlink Removes a file system object.
rename FILE_Rename Changes the name of a file system object.
chown FILE_Owner Changes file ownership.
chmod FILE_Mode Changes file mode.
fchmod FILE_Fchmod Changes file permission of a file descriptor.
fchown FILE_Fchown Changes ownership of a file descriptor.
truncate FILE_Truncate Changes the length of regular files or shared memory object.
symlink FILE_Symlink Creates a symbolic link.
pipe FILE_Pipe Creates an unnamed pipe.
mknod FILE_Mknod Creates a device special file or a first-in-first-out (FIFO) special file.
fcntl FILE_Dupfd Duplicates the file descriptor.
fscntl FS_Extend Extends the file system.
mount FS_Mount Connects file system to a named directory.
umount FS_Umount Disconnects the mounted file system.
chacl FILE_Acl Changes the access control list (ACL) of a file.
fchacl FILE_Facl Changes ACL of a file descriptor.
chpriv FILE_Privilege Sets the privilege control list (PCL) of a file path name.
FILE_Chpriv Changes the PCL.
FILE_Fchpriv Changes the PCL of a file descriptor.
chdir FS_Chdir Changes the current working directory.
fchdir FS_Fchdir Changes the current working directory by using a file descriptor.
chroot FS_Chroot Changes meaning of the root directory (/) for the current process.
rmdir FS_Rmdir Removes the directory object.
mkdir FS_Mkdir Creates a directory.
utimes FILE_Utimes Calls the utimes subroutine.
stat FILE_Stat Calls the stat subroutine.
msgget MSG_Create Creates a message queue.
msgrcv MSG_Read Receives message from a message queue.
msgsnd MSG_Write Sends message to a message queue.
msgctl MSG_Delete Removes a message queue.
MSG_Owner Changes ownership and access right of a message queue.
MSG_Mode Queries access rights of a message queue.
semget SEM_Create Creates a semaphore set.
semop SEM_Op Increases or decreases one or more semaphores.
semctl SEM_Delete Deletes a semaphore set.
SEM_Owner Changes ownership and access rights of a semaphore set.
SEM_Mode Queries semaphore set access rights.
shmget SHM_Create Creates a new shared memory segment.
shmat SHM_Open Calls the shmat subroutine by using the Open option.
shmat SHM_Detach Calls the shmat subroutine by using the Detach option.
shmctl SHM_Close Closes shared memory segment.
SHM_Owner Changes ownership and access rights for shared memory segment.
SHM_Mode Queries access rights of shared memory segment.
tcpip user level TCPIP_connect Calls the connect subroutine.
TCPIP_data_out Data sent.
TCPIP_data_in Data received.
TCPIP_set_time Logs the attempt to change system time through network.
tcpip kernel level TCP_ksocket Specifies that a socket is created.
TCP_ksocketpair Specifies that a pair of connected sockets is created.
TCP_kclose Specifies that the socket is closed.
TCP_ksetopt Specifies that the socket options are set.
TCP_kbind Specifies that a name is bound to a socket.
TCP_klisten Listens for a socket connection.
TCP_kconnect Specifies that a connection between two sockets is created.
TCP_kaccept Accepts a new socket and specifies that a connection on a socket is created.
TCP_kshutdown Specifies that all send and receive operations of sockets are shut down.
TCP_ksend Specifies that messages are sent from a connected socket.
TCP_kreceive Specifies that messages are received from a connected socket.
tsm USER_Login Logs in the user to the system.
PORT_Locked Indicates that the port is locked because of invalid login attempts.
TERM_Logout Logs the user out of the system.
rlogind or telnetd USER_Exit Indicates that the user is logged out.
usrck USER_Check Verifies the accuracy of a user definition.
USRCK_Error
logout USER_Logout Stops all processes on a port.
chsec PORT_Change Indicates a change in port attribute values.
chuser USER_Change Changes user attributes.
rmuser USER_Remove Removes a user.
mkuser USER_Create Creates a user.
setgroups USER_SetGroups Sets the supplementary group ID of the current process.
setsenv USER_SetEnv Sets the environment variable.
su USER_SU Changes the user ID that is associated with a session.
grpck GROUP_User Removes non-existent users from the group.
GROUP_Adms Removes non-existent administrative users from the group.
chgroup GROUP_Change Changes the group attributes.
mkgroup GROUP_Create Creates a group.
rmgroup GROUP_Remove Removes a group.
passwd PASSWORD_Change Changes a user password.
pwdadm PASSWORD_Flags Changes an administrator password.
pwdck PASSWORD_Check Verifies the accuracy of local authentication information.
PASWORD_Ckerr
startsrc SRC_Start Starts a system resource controller.
stopsrc SRC_Stop Stops a system resource controller.
addssys SRC_Addssys Adds the SRCsubsys definition to the subsystem object class.
chssys SRC_Chssys Changes a subsystem definition in the subsystem object class.
addserver SRC_Addserver Adds a subserver definition to the subserver object class.
chserver SRC_Chserver Changes a subserver definition in the subserver object class.
rmsys SRC_Delssys Removes a subsystem definition from the subsystem object class.
rmserver SRC_Delserver Removes a subserver definition from the Subserver type object class.
enq ENQUE_admin Queues a file.
qdaemon ENQUE_exec Schedules queued jobs.
sendmail SENDMAIL_Config Routes the mail for local or network delivery.
SENDMAIL_ToFile
at AT_JobAdd Removes or adds the commands that are scheduled to be run by using the at command.
At_JobRemove
cron CRON_JobRemove Removes or adds the commands that are scheduled to be run by using the cron command.
CRON_JobAdd
CRON_Start Indicates start of a cron job.
CRON_Finish Indicates end of a cron job.
nvload NVRAM_Config Specifies access to the non-volatile random-access memory (NVRAM).
cfgmgr DEV_Configure Configures devices.
chdev and mkdev DEV_Change Specifies a change in device.
mkdev DEV_Create Specifies that the device is created.
DEV_Start Specifies that the device is started.
installp INSTALLP_Inst Installs available software products in a compatible installation package.
INSTALLP_Exec
rmdev DEV_Stop Specifies that the device is stopped.
DEV_Unconfigure Specifies that the device is unconfigured.
DEV_Remove Specifies that the device has been removed.
lchangelv, lextendlv, and lreducelv LVM_ChangeLV Specifies that the logical volume has been changed.
lchangepv, ldeletepv, and linstallpv LVM_ChangeVG Specifies that the volume group has been changed.
lcreatelv LVM_CreateLV Specifies that a logical volume has been added to the system.
lcreatevg LVM_CreateVG Specifies that a volume group has been created in the system.
ldeletepv LVM_DeleteVG Specifies that the volume group has been removed from the system.
rmlv LVM_DeleteLV Specifies that the logical volume has been removed from the system.
lvaryoffvg LVM_VaryoffVG Deactivates a volume group.
lvaryonvg LVM_VaryonVG Activates a volume group.
Logical volume operations LVM_AddLV Adds a logical volume to an existing volume group.
LVM_KDeleteLV Removes a logical volume from an existing volume group.
LVM_ExtendLV Increases the size of a logical volume by adding deallocated physical partitions from the volume group.
LVM_ReduceLV Decreases the size of a logical volume.
LVM_KChangeLV Changes existing logical volume.
LVM_AvoidLV Does not allow a logical volume to perform specific operations.
Physical volume operations LVM_MissingPV Adds a missing physical volume to an existing volume group.
LVM_AddPV Adds a physical volume to an existing volume group
LVM_AddMissPV Adds a missing physical volume to an existing volume group.
LVM_DeletePV Deletes a physical volume from an existing volume group.
LVM_RemovePV Removes a physical volume from an existing volume group.
LVM_AddVGSA Adds a volume group status area (VGSA) to an existing physical volume.
LVM_DeleteVGSA Removes a VGSA from an existing physical volume.
Volume group operations LVM_SetupVG Sets up the volume group by defining logical volumes and by specifying information about the VGSA and mirror write consistency cache (MWCC).
LVM_DefineVG Defines the volume group to the kernel.
LVM_KDeleteVG Deletes a volume group from the kernel.
Backup and restore operations BACKUP_Export Captures the progress of the backup operation.
RESTORE_Import Captures the progress of the restore operation.
shell USER_Shell Captures the user tty information.
reboot USER_Reboot Captures the event of system reboot.
PROC_Reboot Captures the event of process reboot. The reboot subroutine restarts the system or repeats the initial program load (IPL) operation on the system.