Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 Release Notes for HP-UX 10.30: HP 9000 Computers > Chapter 2 Major Changes for HP-UX 10.30

Auditing
» 

Technical documentation

» Feedback
Content starts here

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

Changes for 10.30:

  • New system calls are being audited.

  • The exec system call is auditing additional arguments.

  • audisp(1m) and audusr(1m) are now more efficient

A new event type readdac has been added for 10.30. The exec(2) system call now audits the arguments of the command being exec'ed. The following system calls are also being audited. The event type to which they have been assigned is listed within parentheses.

        access(READDAC)           munmap(CLOSE)
        acct(ADMIN)               plock(PROCESS)
        adjtime(ADMIN)            putpmsg(MODDAC)
        audctl(ADMIN)             rfa_netunam(ADMIN)
        ca_setpgrp(MODACCESS)     rtprio(PROCESS)
        clock_settime(ADMIN)      sched_setparam(ADMIN)
        exportfs(REMOVABLE)       sched_setscheduler(ADMIN)
        fattach(IPCOPEN)          semop(MODDAC)
        fdetach(IPCCLOSE)         serialize(ADMIN)
        fstat64(READDAC)          setcontext(PROCESS)
        fstat(READDAC)            setpgid(MODACCESS)
        ftruncate64(OPEN)         setpgrp2(MODACCESS)
        getaccess(READDAC)        setpgrp3(MODACCESS)
        kload(OPEN)               setpgrp(MODACCESS)
        ksem_close(CLOSE)         setpriority(ADMIN)
        ksem_open(OPEN)           setregid(MODACCESS)
        ksem_unlink(DELETE)       setrlimit64(PROCESS)
        lchmod(MODDAC)            setsid(MODACCESS)
        lchown(MODDAC)            shm_open(OPEN)
        lockf64(MODACCESS)        shm_unlink(DELETE)
        lockf(MODACCESS)          sigqueue(PROCESS)
        lstat64(READDAC)          socket2(IPCCREAT)
        lstat(READDAC)            socket(IPCCREAT)
        mlock(PROCESS)            socketpair2(IPCCREAT)
        mlockall(PROCESS)         socketpair(IPCCREAT)
        mmap64(OPEN)              stat64(READDAC)
        mmap(OPEN)                stat(READDAC)
        mpctl(ADMIN)              symlink(MODACCESS)
        mq_close(CLOSE)           toolbox(ADMIN)
        mq_open(OPEN)             truncate64(OPEN)
        mq_unlink(DELETE)         ulimit64(PROCESS)
        munlock(PROCESS)          utssys(ADMIN)
        munlockall(PROCESS)

Impact

Vendors who parse binary audit data must account for the changed format of the binary data generated by exec and the introduction of many new system calls.

Performance

Selection of default audit events (specified with the -E option to audevent(1m)) will select more system calls for auditing and may result in some performance degradation. Use audevent with the -s option or SAM to control what gets audited at the system call granularity.

Alternatives/Compatibility

Binary audit data from earlier versions of HP-UX 10.0 will continue to work with the audit display program audisp(1m) in 10.30. However, a binary audit trail generated on 10.30 will not display correctly on earlier versions of HP-UX.



Asian System Environment (ASE)
  		 


HP Common Desktop Runtime Environment (CDE 1.0)  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1997, Hewlett-Packard Development Company, L.P.