Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ audit_sys(5) — Motorola System V 88k Release 4 Version 4.3

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

auconvert(1M)

audit(1M)

audit_d(1M)

aualiasmgmt(1M)

aumaskmgmt(1M)

auscan(1M)

au_ctl(3A)

au_entry(3A)

au_getauthid(3A)

au_getpmask(3A)

audit(4)

audit_alias(4)

aumask(4)

audit_sys(5)  —  PUBLIC FILES, TABLES, AND TROFF MACROS

NAME

audit_sys − describes the architecture and components of the audit trail system

DESCRIPTION

The audit system contains the following capabilities:

Record events

Selective control over recording events by reason and class

Selective control over recording events based on the process

Administrative control for the audit system

Post-processing control for the recorded audit information

These capabilities are described in the sections below. 

Record Events

An event is an action performed on an object by a process.  A process can create, remove, modify, or access an object.  An object can be a file, an interprocess communication (IPC) element, or a process.  An event can also be an administrator or operator action, such as a privileged action or a security-related action.  Types of events that can be recorded include:

Significant events that relate to the system’s identification and authentication (I&A) mechanisms

Actions by, privileged users, administrators, or operators

Creation or removal of objects (files, IPC elements, processes)

Other security-related mechanisms such as the possible use of identified covert channels

Audit events are generated from system calls and commands. 

Selective Control

Audit events are categorized by reason and class.  A reason is the motive for auditing an event.  The reason codes are defined in <sys/audit.h>.  A class is a group of system calls or commands that perform related functions.  Not all reasons and classes apply to all system calls and commands.  The following list describes the reasons for an audit event. 

The event was successful.  Normal completion of the system call or command occurred (reason AU_SUCCESS). 

The event failed.  Failure of an event can be one of the following:

Discretionary access control (DAC) failure (reason AU_DACFAIL). 
Privilege failure (reason AU_PRIVFAIL).

The event used a known covert channel (reason AU_COVERT). 

The event was a special or miscellaneous event.  Special and miscellaneous events are not frequently encountered (reason AU_OTHER). 

The tables in audit(4) show the relationship between reasons and classes of system calls and commands. 

Two examples of audit classes are the system call link(2) and the command login(1).  The class names for link and login are link and login respectively.  Enabling audit for the class link would enable auditing for all events generated by the link system call.  Similarly, enabling audit for the class login would enable auditing for all events genterated by the login command.  The tables in audit(4) list the names used to identify each audit event class. 

Audits can be based on an individual reason for an individual class.  For example, an administrator can audit DAC failures (reason) for file open actions (class open).  Additional information can be found in audit_alias(4) and aumask(4). 

For an audit event to be logged, the audit mask of the process performing the action must have the reason bit set in the mask element corresponding to the audit class of the audit event. 

Administrative Control

During the login process, users are assigned a set of event classes and corresponding reasons for auditing each class.  The audit administrator specifies the classes and reasons.  The manual pages for audit_alias(4) and aumask(4) describe this procedure. 

An audit administrator can specify how the audit system should respond to a File System Full condition when the file system containing the audit trail no longer has space to record audit records.  Refer to audit(1M) and audit_d(1M) for more information. 

Post-Processing Control

Once an audit trail file has been created, an administrator can select all or part of the information from the audit file by specifying qualifying arguments to the auscan(1M) command.  This utility allows the selection of events based on a number of criteria including time, user, and class and reason. 

Once audit records are selected with auscan(1M), auconvert(1M) can be used to translate the binary information into text format.  auconvert also performs some further translation on symbolic information and structures. 

SEE ALSO

auconvert(1M), audit(1M), audit_d(1M), aualiasmgmt(1M), aumaskmgmt(1M), auscan(1M), au_ctl(3A), au_entry(3A), au_getauthid(3A), au_getpmask(3A), audit(4), audit_alias(4), aumask(4)

(Security Enhancement)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026