audit_track_paths(5)audit_track_paths(5)NAMEaudit_track_paths - enable/disable tracking of current and root direc‐
tories for auditing subsystem
if is turned on or is installed,
is a dynamic tunable and replaces specific static tunable
Setting the tunable to enables both and to resolve and report absolute
pathnames for their accounting purposes. This also causes additional
tracking by the kernel, resulting in a small degradation in performance
(and increase in kernel memory usage), even if auditing subsystem is
not in use. Although it is not required, but it is highly recommended
to reboot the system when setting the tunable to with the intention to
be able to record the absolute pathnames. Otherwise, or may not be able
to resolve and report absolute pathname consistently.
When is set to will not resolve absolute pathnames, while will be
unable to open the device and collect data. This is because HIDS
always expects a complete pathname for its purposes.
The tunable is set to state when the system is installed without and
its value is set to The tunable is set to when is first installed.
Who Is Expected to Change This Tunable?
Administrator with proper privileges can change the value of depending
on the restrictions stated below.
Restrictions on Changing
The tunable is a dynamic tunable so any changes to this will take
effect immediately, provided following conditions are satisfied:
1) If the new tunable value is 0 (and not then will not be able to open
the IDDS device; and therefore, it will not be able to run any
intrusion detection template that requires system call audit
records. This restriction is enforced to avoid HIDS reporting
incomplete or relative pathnames.
2) If is opened, then the administrator will not be allowed to change
the value of the tunable.
3) If the tunable is set to will self-tune its value to when the IDDS
device is opened by
4) If the tunable value is set to will self-tune its value to at the
time of turning auditing.
5) If is already the administrator is not allowed to change the tunable
6) If the administrator changes the tunable value from to a reboot of
the system is recommended to avoid reporting of partial pathnames by
When Should the Tunable Be Turned On?
The tunable should be turned if either or is going to be started.
What Are the Side Effects of Turning the Tunable On?
The name of the current working directory (and root directory) of every
process is tracked, resulting in a change in memory usage and perfor‐
mance of the system.
When Should the Tunable Be Turned Off?
When both and are
What Are the Side Effects of Turning the Tunable Off?
When the tunable is is unable to use any detection template that
requires system call audit records (such as the "Modification of
Files/Directories Template"). See HP-UX HIDS documentation for more
information about templates. Also in this case will report relative
pathnames in the audit log.
What Other Tunables Should Be Changed at the Same Time?
This tunable is independent of other tunables.
All HP-UX kernel tunable parameters are release-specific. This parame‐
ter may be removed or have its meaning changed in future releases of
Installation of optional kernel software, from HP or other vendors, may
cause changes to tunable parameter values. After installation, some
tunable parameters may no longer be at the default or recommended val‐
ues. For information about the effects of installation on tunable val‐
ues, consult the documentation for the kernel software being installed.
For information about optional kernel software that was factory
installed on your system, see at
was developed by HP.
SEE ALSOkctune(1M), audit(5), ids.cf(5).
Tunable Kernel Parameters audit_track_paths(5)