Audit events
An audit event is any security-relevant occurrence in the system. A security-relevant occurrence can be a change to the security state of the system, an attempted or actual violation of the system access control or accountability security policies, or both. The programs and kernel modules that detect audit events report these events to the system audit logger that runs as part of the kernel. This audit event report can be accessed either by using a subroutine (for trusted program auditing) or within a kernel procedure call (for supervisor state auditing). The information that is reported in an audit event includes the name of the event, the success or failure of the event, and any additional event-specific information that is related to security auditing.
To audit an activity, you must identify the command or process that initiates the audit event and ensure that the event is listed in the /etc/security/audit/events file for your system. You can facilitate the assignment of audit events to users by combining similar events into audit classes. These audit classes are defined in the classes stanza of the /etc/security/audit/config file.
The following table lists some of the commonly used audit events that occur in the AIX® operation system:
| User or system call | Audit event | Description |
|---|---|---|
fork |
PROC_Create | Specifies that a process is created. |
exit |
PROC_Delete | Specifies that the calling process ended. |
exec |
PROC_Execute | Runs a new program. |
setuidx |
PROC_RealUID | Sets the user ID of the process. |
| PROC_AuditID | ||
| PROC_SetUserIDs | ||
setgidx |
PROC_RealGID | Sets the process group ID. |
setroles |
PROC_SetRoles | Entry point for setting role IDs. |
accessx |
FILE_Accessx | Determines the accessibility of a file. |
statacl |
FILE_StatAcl | Retrieves the access control information of a file. |
revoke |
FILE_Revoke | Revokes access to a file by all processes. |
frevoke |
FILE_Frevoke | Revokes access to a file by other processes. |
usrinfo |
PROC_Environ | Changes a part of user information data. |
setrlimit |
PROC_Limits | Controls consumption of maximum system resources. |
nice |
PROC_SetPri | Specifies the use of the nice function. |
setpri |
PROC_Setpri | Sets fixed priority for processes. |
setpriv |
PROC_Privilege | Changes one or more privilege vectors for processes. |
settimer |
PROC_Settimer | Sets current value for a specified system-wide timer. |
adjtime |
PROC_Adjtime | Changes the system clock. |
ptrace |
PROC_Debug | Traces the execution of another process. |
kill |
PROC_Kill | Sends a signal to a process or a group of processes. |
setpgid |
PROC_setpgid | Sets the process group ID. |
ld_loadmodule |
PROC_Load | Loads a new object module into the process address space. |
| PROC_LoadError | Indicates that the object loading failed. | |
setgroups |
PROC_SetGroups | Changes the process concurrent group set. |
sysconfig |
PROC_Sysconfig | Captures the action on kernel or system configuration. |
audit |
AUD_It | Starts and stops the auditing operation. It also queries the audit status. |
auditbin |
AUD_Bin_Def | Modifies the auditbin system call. |
auditevents |
AUD_Events | Modifies events. |
auditobj |
AUD_Objects | Modifies the auditobj system call. |
auditproc |
AUD_Proc | Gets or sets the audit state of a process. |
acct |
ACCT_Disable | Disables system accounting. |
| ACCT_Enable | Enables system accounting. | |
open and create |
FILE_Open | Calls the open subroutine. |
read |
FILE_Read | Reads data from the file descriptor. |
write |
FILE_Write | Writes data to the file descriptor. |
close |
FILE_Close | Closes the open file descriptor. |
link |
FILE_Link | Creates new directory entry for a file system object. |
unlink |
FILE_Unlink | Removes a file system object. |
rename |
FILE_Rename | Changes the name of a file system object. |
chown |
FILE_Owner | Changes file ownership. |
chmod |
FILE_Mode | Changes file mode. |
fchmod |
FILE_Fchmod | Changes file permission of a file descriptor. |
fchown |
FILE_Fchown | Changes ownership of a file descriptor. |
truncate |
FILE_Truncate | Changes the length of regular files or shared memory object. |
symlink |
FILE_Symlink | Creates a symbolic link. |
pipe |
FILE_Pipe | Creates an unnamed pipe. |
mknod |
FILE_Mknod | Creates a device special file or a first-in-first-out (FIFO) special file. |
fcntl |
FILE_Dupfd | Duplicates the file descriptor. |
fscntl |
FS_Extend | Extends the file system. |
mount |
FS_Mount | Connects file system to a named directory. |
umount |
FS_Umount | Disconnects the mounted file system. |
chacl |
FILE_Acl | Changes the access control list (ACL) of a file. |
fchacl |
FILE_Facl | Changes ACL of a file descriptor. |
chpriv |
FILE_Privilege | Sets the privilege control list (PCL) of a file path name. |
| FILE_Chpriv | Changes the PCL. | |
| FILE_Fchpriv | Changes the PCL of a file descriptor. | |
chdir |
FS_Chdir | Changes the current working directory. |
fchdir |
FS_Fchdir | Changes the current working directory by using a file descriptor. |
chroot |
FS_Chroot | Changes meaning of the root directory (/) for the current process. |
rmdir |
FS_Rmdir | Removes the directory object. |
mkdir |
FS_Mkdir | Creates a directory. |
utimes |
FILE_Utimes | Calls the utimes subroutine. |
stat |
FILE_Stat | Calls the stat subroutine. |
msgget |
MSG_Create | Creates a message queue. |
msgrcv |
MSG_Read | Receives message from a message queue. |
msgsnd |
MSG_Write | Sends message to a message queue. |
msgctl |
MSG_Delete | Removes a message queue. |
| MSG_Owner | Changes ownership and access right of a message queue. | |
| MSG_Mode | Queries access rights of a message queue. | |
semget |
SEM_Create | Creates a semaphore set. |
semop |
SEM_Op | Increases or decreases one or more semaphores. |
semctl |
SEM_Delete | Deletes a semaphore set. |
| SEM_Owner | Changes ownership and access rights of a semaphore set. | |
| SEM_Mode | Queries semaphore set access rights. | |
shmget |
SHM_Create | Creates a new shared memory segment. |
shmat |
SHM_Open | Calls the shmat subroutine by using the Open option. |
shmat |
SHM_Detach | Calls the shmat subroutine by using the Detach option. |
shmctl |
SHM_Close | Closes shared memory segment. |
| SHM_Owner | Changes ownership and access rights for shared memory segment. | |
| SHM_Mode | Queries access rights of shared memory segment. | |
tcpip user level |
TCPIP_connect | Calls the connect subroutine. |
| TCPIP_data_out | Data sent. | |
| TCPIP_data_in | Data received. | |
| TCPIP_set_time | Logs the attempt to change system time through network. | |
tcpip kernel level |
TCP_ksocket | Specifies that a socket is created. |
| TCP_ksocketpair | Specifies that a pair of connected sockets is created. | |
| TCP_kclose | Specifies that the socket is closed. | |
| TCP_ksetopt | Specifies that the socket options are set. | |
| TCP_kbind | Specifies that a name is bound to a socket. | |
| TCP_klisten | Listens for a socket connection. | |
| TCP_kconnect | Specifies that a connection between two sockets is created. | |
| TCP_kaccept | Accepts a new socket and specifies that a connection on a socket is created. | |
| TCP_kshutdown | Specifies that all send and receive operations of sockets are shut down. | |
| TCP_ksend | Specifies that messages are sent from a connected socket. | |
| TCP_kreceive | Specifies that messages are received from a connected socket. | |
tsm |
USER_Login | Logs in the user to the system. |
| PORT_Locked | Indicates that the port is locked because of invalid login attempts. | |
| TERM_Logout | Logs the user out of the system. | |
rlogind or telnetd |
USER_Exit | Indicates that the user is logged out. |
usrck |
USER_Check | Verifies the accuracy of a user definition. |
| USRCK_Error | ||
| USER_Locked | User is locked after failed login attempts. | |
logout |
USER_Logout | Stops all processes on a port. |
chpass |
USER_Chpass | User password changed. |
chsec |
PORT_Change | Indicates a change in port attribute values. |
| USER_Unlocked | User unlocked by administrator. | |
| LPA_Change | Password algorithm changed. | |
| SECORDER_Change | Change secorder in
/etc/nscontrol.conf. |
|
chuser |
USER_Change | Changes user attributes. |
rmuser |
USER_Remove | Removes a user. |
mkuser |
USER_Create | Creates a user. |
setgroups |
USER_SetGroups | Sets the supplementary group ID of the current process. |
setsenv |
USER_SetEnv | Sets the environment variable. |
su |
USER_SU | Changes the user ID that is associated with a session. |
grpck |
GROUP_User | Removes nonexistent users from the group. |
| GROUP_Adms | Removes nonexistent administrative users from the group. | |
chgroup |
GROUP_Change | Changes the group attributes. |
mkgroup |
GROUP_Create | Creates a group. |
rmgroup |
GROUP_Remove | Removes a group. |
passwd |
PASSWORD_Change | Changes a user password. |
pwdadm |
PASSWORD_Flags | Changes an administrator password. |
pwdck |
PASSWORD_Check | Verifies the accuracy of local authentication information. |
| PASWORD_Ckerr | ||
startsrc |
SRC_Start | Starts a system resource controller. |
stopsrc |
SRC_Stop | Stops a system resource controller. |
addssys |
SRC_Addssys | Adds the SRCsubsys definition to the subsystem object class. |
chssys |
SRC_Chssys | Changes a subsystem definition in the subsystem object class. |
addserver |
SRC_Addserver | Adds a subserver definition to the subserver object class. |
chserver |
SRC_Chserver | Changes a subserver definition in the subserver object class. |
rmsys |
SRC_Delssys | Removes a subsystem definition from the subsystem object class. |
rmserver |
SRC_Delserver | Removes a subserver definition from the Subserver type object class. |
enq |
ENQUE_admin | Queues a file. |
qdaemon |
ENQUE_exec | Schedules queued jobs. |
sendmail |
SENDMAIL_Config | Routes the mail for local or network delivery. |
| SENDMAIL_ToFile | ||
at |
AT_JobAdd | Removes or adds the commands that are scheduled to be run by using the at command. |
| At_JobRemove | ||
cron |
CRON_JobRemove | Removes or adds the commands that are scheduled to be run by using the cron command. |
| CRON_JobAdd | ||
| CRON_Start | Indicates start of a cron job. | |
| CRON_Finish | Indicates end of a cron job. | |
nvload |
NVRAM_Config | Specifies access to the nonvolatile random-access memory (NVRAM). |
cfgmgr |
DEV_Configure | Configures devices. |
chdev and mkdev |
DEV_Change | Specifies a change in device. |
mkdev |
DEV_Create | Specifies that the device is created. |
| DEV_Start | Specifies that the device is started. | |
installp |
INSTALLP_Inst | Installs available software products in a compatible installation package. |
| INSTALLP_Exec | ||
rmdev |
DEV_Stop | Specifies that the device is stopped. |
| DEV_Unconfigure | Specifies that the device is unconfigured. | |
| DEV_Remove | Specifies that the device is removed. | |
lchangelv, lextendlv, and lreducelv
|
LVM_ChangeLV | Specifies that the logical volume is changed. |
lchangepv, ldeletepv, and
linstallpv |
LVM_ChangeVG | Specifies that the volume group is changed. |
lcreatelv |
LVM_CreateLV | Specifies that a logical volume is added to the system. |
lcreatevg |
LVM_CreateVG | Specifies that a volume group is created in the system. |
ldeletepv |
LVM_DeleteVG | Specifies that the volume group is removed from the system. |
rmlv |
LVM_DeleteLV | Specifies that the logical volume is removed from the system. |
lvaryoffvg |
LVM_VaryoffVG | Deactivates a volume group. |
lvaryonvg |
LVM_VaryonVG | Activates a volume group. |
| Logical volume operations | LVM_AddLV | Adds a logical volume to an existing volume group. |
| LVM_KDeleteLV | Removes a logical volume from an existing volume group. | |
| LVM_ExtendLV | Increases the size of a logical volume by adding deallocated physical partitions from the volume group. | |
| LVM_ReduceLV | Decreases the size of a logical volume. | |
| LVM_KChangeLV | Changes existing logical volume. | |
| LVM_AvoidLV | Does not allow a logical volume to perform specific operations. | |
| Physical volume operations | LVM_MissingPV | Adds a missing physical volume to an existing volume group. |
| LVM_AddPV | Adds a physical volume to an existing volume group | |
| LVM_AddMissPV | Adds a missing physical volume to an existing volume group. | |
| LVM_DeletePV | Deletes a physical volume from an existing volume group. | |
| LVM_RemovePV | Removes a physical volume from an existing volume group. | |
| LVM_AddVGSA | Adds a volume group status area (VGSA) to an existing physical volume. | |
| LVM_DeleteVGSA | Removes a VGSA from an existing physical volume. | |
| Volume group operations | LVM_SetupVG | Sets up the volume group by defining logical volumes and by specifying information about the VGSA and mirror write consistency cache (MWCC). |
| LVM_DefineVG | Defines the volume group to the kernel. | |
| LVM_KDeleteVG | Deletes a volume group from the kernel. | |
Backup and restore operations |
BACKUP_Export | Captures the progress of the backup operation. |
| RESTORE_Import | Captures the progress of the restore operation. | |
shell |
USER_Shell | Captures the user tty information. |
reboot |
USER_Reboot | Captures the event of system reboot. |
| PROC_Reboot | Captures the event of process reboot. The reboot subroutine restarts the system or repeats the initial program load (IPL) operation on the system. | |
| /usr/sbin/init | INIT_Start | A process in the init tab is started. |
| INIT_End | A process in the init tab is ended. | |
| /usr/sbin/setsecattr | PROC_Change | A process privilege is changed. |
mkrole |
ROLE_Create | A new role is created. |
chrole |
Role_Change | The attributes of an existing role are changed. |
rmrole |
Role_Remove | A role is removed. |
 Internet Protocol Security (IPsec) operations |
IPSEC_p1_sa | Lists the attributes that establish the security association for the key tunnel. Key tunnel or control plane tunnel is the tunnel that controls how data is sent from one place to another. |
| IPSEC_p2_sa | Lists the attributes that establish the security association for the data tunnel. Data tunnel or data plane tunnel is the tunnel that is used for the actual transport of data. | |
| IPSEC_ike_ver | Specifies the negotiated version of the Internet Key Exchange (IKE). The valid values are IKEv1 and IKEv2. | |
| IPSEC_auth_type | Specifies the authentication mechanism that is used to identify the remote endpoints. The valid values are AUTH_PSK (pre-shared key), AUTH_RSA (RSA_signatures), AUTH_KRB (GSSAPI_krb5), and AUTH_ECDSA (ECDSA256_signatures). | |
| IPSEC_noprp_ack | Notifies about the failure event. The failure notification event is logged only when all proposals are rejected by the remote endpoints and the IKE responder device replies with the NO_PROPOSAL_CHOSEN log message. | |
| IPSEC_chtun | Specifies that one or more tunnel definitions were changed. | |
| IPSEC_gentun | Specifies that a tunnel definition was added to the tunnel database. | |
| IPSEC_imptun | Specifies that one or more tunnel definitions were imported into the tunnel database. | |
| IPSEC_lstun | Specifies that tunnel definitions were queried from the tunnel database. | |
| Internet Protocol Security (IPsec) operations
continued... |
IPSEC_mktun | Specifies that one or more tunnels were activated. |
| IPSEC_rmtun | Specifies that one or more tunnels were deactivated. | |
| IPSEC_chfilt | Specifies that one or more filter definitions were changed in the filter rules table. | |
| IPSEC_expfilt | Specifies that one or more filter definitions were exported from the filter rules table to the file system. | |
| IPSEC_genfilt | Specifies that a filter rule was added to the filter rules table. | |
| IPSEC_trcbuf | Specifies that the ipsectrcbuf command was used to inspect the resident trace buffer for debugging any functional issues in the IPsec subsystem. | |
| IPSEC_impfilt | Specifies that one or more filter rules were imported into the filter rule database from one or more text files. | |
| IPSEC_lsfilt | Specifies that a request was made to collect the filter rules along with their status. | |
| IPSEC_mkfilt | Specifies that an activation request was made for toggling filter rule status. | |
| Internet Protocol Security (IPsec) operations
continued... |
IPSEC_mvfilt | Specifies that the order of the filter rule table was altered. |
| IPSEC_rmfilt | Specifies that one or more entries were removed from the filter rule table. | |
| IPSEC_unload | Specifies that a cryptography module was unloaded from the IPsec subsystem. | |
| IPSEC_stat | Specifies that the IP Security subsystem status was queried by using the ipsecstat command. | |
| IKE_tnl_creat | Specifies that the phase 1 or phase 2 tunnel was created. The event state notifies the status of the tunnel creation operation. | |
| IKE_tnl_delet | Specifies that the phase 1 or phase 2 tunnel was deleted. The event state notifies the status of the tunnel deletion operation. | |
| IKE_activat_cmd | Specifies that the phase 1 or phase 2 tunnel activation was requested. The event state notifies the status of the tunnel activation request. | |
| IKE_remove_cmd | Specifies that the phase 1 or phase 2 tunnel deletion was requested. The event state notifies the status of the tunnel deletion request. |