This appendix contains the default auditable events (/etc/sec/audit_events) and the default audit event aliases (/etc/sec/event_aliases) as they as delivered on Tru64 UNIX.
B.1 Default Auditable Events File
The
following is the default
/etc/sec/audit_events
file:
! Audited system calls: exit succeed fail fork succeed fail old open succeed fail close succeed old creat succeed fail link succeed fail unlink succeed fail execv succeed fail chdir succeed fail fchdir succeed fail mknod succeed fail chmod succeed fail chown succeed fail getfsstat succeed fail mount succeed fail unmount succeed fail setuid succeed fail exec_with_loader succeed fail ptrace succeed fail nrecvmsg succeed fail nsendmsg succeed fail nrecvfrom succeed fail naccept succeed fail access succeed fail kill succeed fail old stat succeed fail setpgid succeed fail old lstat succeed fail dup succeed fail pipe succeed fail open succeed fail setlogin succeed fail acct succeed fail classcntl succeed fail ioctl succeed fail reboot succeed fail revoke succeed fail symlink succeed fail readlink succeed fail execve succeed fail chroot succeed fail old fstat succeed fail vfork succeed fail stat succeed fail lstat succeed fail mmap succeed fail munmap succeed fail mprotect succeed fail old vhangup succeed fail kmodcall succeed fail setgroups succeed fail setpgrp succeed fail table succeed fail sethostname succeed fail dup2 succeed fail fstat succeed fail fcntl succeed fail setpriority succeed fail socket succeed fail connect succeed fail accept succeed fail bind succeed fail setsockopt succeed fail recvmsg succeed fail sendmsg succeed fail settimeofday succeed fail fchown succeed fail fchmod succeed fail recvfrom succeed fail setreuid succeed fail setregid succeed fail rename succeed fail truncate succeed fail ftruncate succeed fail setgid succeed fail sendto succeed fail shutdown succeed fail socketpair succeed fail mkdir succeed fail rmdir succeed fail utimes succeed fail adjtime succeed fail sethostid succeed fail old killpg succeed fail setsid succeed fail pid_unblock succeed fail getdirentries succeed fail statfs succeed fail fstatfs succeed fail setdomainname succeed fail exportfs succeed fail getmnt succeed fail alternate setsid succeed fail swapon succeed fail msgctl succeed fail msgget succeed fail msgrcv succeed fail msgsnd succeed fail semctl succeed fail semget succeed fail semop succeed fail lchown succeed fail shmat succeed fail shmctl succeed fail shmdt succeed fail shmget succeed fail utc_adjtime succeed fail security succeed fail kloadcall succeed fail priocntlset succeed fail sigsendset succeed fail msfs_syscall succeed fail sysinfo succeed fail uadmin succeed fail fuser succeed fail proplist_syscall succeed fail ntp_adjtime succeed fail audcntl succeed fail setsysinfo succeed fail swapctl succeed fail memcntl succeed fail SystemV/unlink succeed fail SystemV/open succeed fail RT/memlk succeed fail RT/memunlk succeed fail RT/psx4_time_drift succeed fail RT/rt_setprio succeed fail ! Audited trusted events: audit_start succeed fail audit_stop succeed fail auditconfig succeed fail audit_suspend succeed fail audit_log_change succeed fail audit_log_creat succeed fail audit_xmit_fail succeed fail audit_reboot succeed fail audit_log_overwrite succeed fail audit_daemon_exit succeed fail login succeed fail logout succeed fail auth_event succeed fail audgen8 succeed fail ! Audited mach traps: lw_wire succeed fail lw_unwire succeed fail init_process succeed fail host_priv_self succeed fail semop_fast succeed fail ! Audited mach ipc events: task_create succeed fail task_terminate succeed fail task_threads succeed fail thread_terminate succeed fail vm_allocate succeed fail vm_deallocate succeed fail vm_protect succeed fail vm_inherit succeed fail vm_read succeed fail vm_write succeed fail vm_copy succeed fail vm_region succeed fail task_by_unix_pid succeed fail bind_thread_to_cpu succeed fail task_suspend succeed fail task_resume succeed fail task_get_special_port succeed fail task_set_special_port succeed fail thread_create succeed fail thread_suspend succeed fail thread_resume succeed fail thread_set_state succeed fail thread_get_special_port succeed fail thread_set_special_port succeed fail port_allocate succeed fail port_deallocate succeed fail port_insert_send succeed fail port_extract_send succeed fail port_insert_receive succeed fail port_extract_receive succeed fail host_processors succeed fail processor_start succeed fail processor_exit succeed fail processor_set_default succeed fail xxx_processor_set_default_priv succeed fail processor_set_tasks succeed fail processor_set_threads succeed fail host_processor_set_priv succeed fail host_processors_name succeed fail host_processor_priv succeed fail
The following is
the sample
/etc/sec/event_aliases
file provided with the Tru64 UNIX
system:
# This is a SAMPLE alias list. Your alias list should be built to
# satisfy your site's requirements.
obj_creat: "old open" "old creat" link mknod open symlink mkdir \
SystemV/open
obj_delete: unlink truncate ftruncate SystemV/unlink rmdir
exec: execv exec_with_loader execve
obj_access: access "old stat" "old lstat" "old open" open statfs \
fstatfs readlink "old fstat" stat lstat fstat close:1:0 \
dup dup2 fcntl "old creat" mmap munmap mprotect memcntl \
SystemV/open
obj_modify: chmod chown fchown fchmod lchown utimes rename
ipc: recvmsg nrecvmsg recvfrom nrecvfrom sendmsg nsendmsg \
sendto accept naccept connect socket bind shutdown \
socketpair pipe sysV_ipc kill "old killpg" setsockopt \
sigsendset
sysV_ipc: msgctl msgget msgrcv msgsnd shmat shmctl shmdt shmget \
semctl semget semop
proc: exit fork chdir fchdir setuid ptrace setpgid setlogin \
chroot vfork setgroups setpgrp setpriority setreuid \
setregid setgid audcntl RT/rt_setprio setsid "alternate \
setsid" priocntlset
system: getfsstat mount unmount acct reboot table sethostname \
settimeofday adjtime sethostid setdomainname exportfs \
getmnt swapon utc_adjtime audcntl setsysinfo kloadcall \
getdirentries revoke "old vhangup" kmodcall security \
sysinfo uadmin swapctl
misc: ioctl msfs_syscall fuser
trusted_event: login logout auth_event audgen8
all: obj_creat obj_delete exec obj_access obj_modify ipc \
proc system misc trusted_event
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# adjtime is being called once a sec?
profile_audit: audit_start:1:1 audit_stop:1:1 auditconfig:1:1 \
audit_log_creat:1:1 audit_xmit_fail:1:1 \
audit_reboot:1:1 audit_log_overwrite:1:1 \
audit_daemon_exit:1:1 audcntl:1:1 settimeofday:1:1 \
ntp_adjtime:1:1 utc_adjtime:1:1
profile_net: connect:1:1 accept:1:1 bind:1:1
profile_auth: login:1:1 logout:1:1 auth_event:1:1
profile_filesys: mount:1:1 unmount:1:1
profile_creat: "old creat" link mknod symlink mkdir
profile_proc: setuid setgid setlogin chroot setsid \
"alternate setsid"
#================================================================
# Definition of catagories
# Desktop:
# Provides suggested minimal auditing configuration for a single
# user system. Configuration provides # monitoring of tusted audit
# events, no monitoring of files, or network related events.
# --------------------------------------------------------------------
# This alias assumes:
# - Local access is primarily interactive login, generally limited
# to one user at a time, activity tracked and controlled by the
# system.
# - Individual accountability is primarily maintained by the system.
# - User related file area access is only limited by file owner
# choice. Browsing is unrestricted.
# - System related file areas are mostly readonly. Browsing is
# unrestricted.
# - Login uid is converted to username.
# - Access to the network is monitored.
# - Access to controlled files are unmonitored.
Desktop: \
profile_audit \
profile_auth
# Servers:
# Provides suggested auditing configuration for a system which is
# used as a server for networked based applications (such as
# databases, web server, etc.). Configuration provides monitoring
# of trusted # events, system files, network related files, and
# network related events.
# ---------------------------------------------------------------
# This alias assumes:
# - Network access is restricted to application (mail, db server,
# firewall, etc.) controlled access through network mechanisms
# (TCP/IP reserved port, DECnet objects, etc.) with the
# application being responsible for tracking activity.
# - Interactive access is strictly controlled by the system, activity
# is tracked by the system.
# - Applications primarily handle access control, system control is
# secondary.
# - Local access logins are strictly controlled, activity is tracked
# by the system.
# - Individual accountability is primarily maintained by applications.
# - User related file area access is strictly limited to application
# related files. Browsing is controlled.
# - System related file areas are at most read-only for user
# aplication related functions. Browsing is controlled by
# applications.
# - Login uid is converted to username.
# - Access to the network is monitored.
# - Access to controlled files are monitored.
Server: \
profile_audit \
profile_auth \
profile_net \
profile_filesys \
profile_proc \
profile_creat obj_delete obj_modify
# Timesharing:
# Provides suggested minimal auditing configuration for a system
# which is used to support multiple interactive users. Configuration
# provides monitoring of trusted events, no monitoring of system
# files,or network related events or files.
# ----------------------------------------------------------------------------
# This alias assumes:
# - Local access is primarily interactive login, activity is tracked
# and controlled by the system.
# - Individual accountability is primarily maintained by the system.
# - Interactive logins are generally unrestricted.
# - User related file area access is only limited by file owner
# choice. Browsing is unrestricted.
# - System related file areas are mostly readonly. Browsing is
# unrestricted.
# - Login uid is converted to username.
# - Access to the network is unmonitored.
# - Access to controlled files is unmonitored.
Timesharing: \
profile_audit \
profile_auth
# Timesharing_extended_audit:
# Provides suggested auditing configuration for a system which is
# used to support multiple interactiveusers. Configuration provides
# monitoring of trusted events, system files, and no monitoring of
# network related events or files.
# --------------------------------------------------------------------
# This alias assumes:
# - Local access is primarily interactive login, activity is tracked
# and controlled by the system.
# - Individual accountability is primarily maintained by the system.
# - Interactive logins are generally unrestricted.
# - User related file area access is only limited by file owner
# choice. Browsing is unrestricted.
# - System related file areas are mostly readonly. Browsing is
# unrestricted.
# - Access to the network is monitored.
# - Access to controlled files is monitored.
Timesharing_extended_audit: \
profile_audit \
profile_auth \
profile_filesys \
profile_proc \
profile_creat obj_delete obj_modify
# Networked_system:
# Provides suggested auditing configuration for a system which
# has networking enabled. Should be used in conjuction with
# Desktop, Timesharing, or Timesharing_extended_audit templates.
# Configuration provides monitoring of trusted events, network
# related files and network related events.
# ------------------------------------------------------------------
# This alias assumes:
# - Network access is through application (mail, pinter, etc.)
# controlled network mechanisms (tcp/ip reserved port, DECnet
# objects, etc.) which are responsible tracking activity and
# controlling access, and Interative login with the system
# tracking activity and controlling access.
# - Access to the network is monitored.
# - Access to controlled files is monitored.
Networked_system: \
profile_audit \
profile_net \
profile_creat obj_delete obj_modify
# NIS_server:
# Provides suggested auditing configuration for a system used as
# a NIS server. Should be used in conjuction with Desktop,
# Timesharing, or Timesharing_extended_audit templates.
# Configuration provides monitoring of trusted events, NIS
# related files and network related events.
# ---------------------------------------------------------------------
# This alias assumes:
# - Network access is through application (mail, pinter, etc.)
# controlled network mechanisms (TCP/IP reserved port, DECnet
# objects, etc.) which are responsible tracking activity and
# controlling access, and Interative login with the system
# tracking activity and controlling access.
# - NIS is enabled.
# - Access to the network is monitored.
# - Access to controlled files is monitored.
NIS_server: \
profile_audit \
profile_net \
profile_creat obj_delete obj_modify