aud_audit_events(5)aud_audit_events(5)NAMEaud_audit_events - Auditable events for the audit services
Code is in place for auditing audit service-significant events. Among
these events are: Administrative operations
These are subdivided into modify and query operations. Filter opera‐
These are subdivided into modify and query operations.
Event class definitions, together with filters, control the auditing
execution at these code points. Filters can be updated dynamically.
Filter files are maintained by a per-host audit daemon, and are shared
among all the audit clients on the same host. The dcecp command
interface program is used for maintaining the filters. (See the dcecp
reference page.) The dcecp command is executable by all users and sys‐
tem administrators. The control on who is allowed to modify filters is
done through audit daemon's ACL, which maintains the filters.
The Audit Service RPC interfaces include audit_control and audit_filter
The dce_audit_admin_modify and dce_audit_admin_query event classes lump
together the administrative operations that are performed on the Audit
The dce_audit_admin_modify event class has the following events that
modify the operation of the Audit daemon: EVT_MODIFY_STATE - Enables or
disables the Audit daemon for logging. EVT_MODIFY_SSTRATEGY - Modifies
storage strategy. This can be any of the following: Save - If the
trail is full, it is backed up and renamed with a timestamp then writes
on the original trail again. Wrap - If the trail is full, goes back to
the beginning of the file, overwriting previously written records.
EVT_REWIND - Rewinds the Audit daemon's central trail file. EVT_STOP -
Stops the Audit daemon.
The following are the audit code points in the Audit Service inter‐
faces, with their Event Types, Event Classes, and any Event-Specific
Information. EVT_MODIFY_STATE (0x306, dce_audit_admin_modify) None
EVT_MODIFY_SSTRATEGY (0x305, dce_audit_admin_modify) None EVT_REWIND
(0x307, dce_audit_admin_modify) None EVT_STOP (0x308,
The dce_audit_admin_query event class has two events: EVT_SHOW_SSTRAT‐
EGY - Shows the storage strategy. EVT_SHOW_STATE - Shows the state of
the Audit daemon.
Following are the details of this event class: EVT_SHOW_SSTRATEGY
(0x309, dce_audit_admin_query) None EVT_SHOW_STATE (0x30a,
The dce_audit_filter_modify and dce_audit_filter_query event classes
are the filter operations that the Audit daemon handles.
The dce_audit_filter_modify event class has the following events:
EVT_ADD_FILTER - Adds a filter. EVT_DELETE_FILTER - Removes all guides
for a specific subject. EVT_REMOVE_FILTER - Removes a specific guide
for a specific subject.
Following are the details of this event class: EVT_ADD_FILTER (0x303,
dce_audit_filter_modify) None. EVT_DELETE_FILTER (0x300,
dce_audit_filter_modify) None. EVT_REMOVE_FILTER (0x304,
The dce_audit_filter_query contains two events: EVT_LIST_FILTER - Lists
all subjects that have filters. EVT_SHOW_FILTER - Shows all filters
for a specific principal.
Following are the details of this event class. EVT_LIST_FILTER (0x302,
dce_audit_filter_query) None. EVT_SHOW_FILTER (0x301, dce_audit_fil‐
ter_query) aud_c_evt_info_long_int esl_type