https://community.hpe.com/t5/operating-system-hp-ux/auditing-problem/m-p/3340270#M746759 I have auditing turned on the monitor delete events as well as chmods. There are a couple of problems I have found.<BR /><BR />1. While it does monitor for rmdir's just fine, I don't see where it is monitoring for rm's. If this is under a different name (ie. the system call) what is it?<BR /><BR />2. When it displays the "Path" to the file that was modified/deleted, it only shows what the user typed in. If they don't specify a full path, the information is pretty much useless. Anyone know if it is possible to have auditing always display a full path?<BR /><BR />3. Is it possible to monitor events/system calls from root. I noticed a bunch of events created by User=????????. Is that root or the system itself?<BR /><BR />Any insight that can be provided would be very much appreciated. Sat, 24 Jul 2004 14:12:37 GMT James Candalino 2004-07-24T14:12:37Z https://community.hpe.com/t5/operating-system-hp-ux/auditing-problem/m-p/3340270#M746759 I have auditing turned on the monitor delete events as well as chmods. There are a couple of problems I have found.<BR /><BR />1. While it does monitor for rmdir's just fine, I don't see where it is monitoring for rm's. If this is under a different name (ie. the system call) what is it?<BR /><BR />2. When it displays the "Path" to the file that was modified/deleted, it only shows what the user typed in. If they don't specify a full path, the information is pretty much useless. Anyone know if it is possible to have auditing always display a full path?<BR /><BR />3. Is it possible to monitor events/system calls from root. I noticed a bunch of events created by User=????????. Is that root or the system itself?<BR /><BR />Any insight that can be provided would be very much appreciated. Sat, 24 Jul 2004 14:12:37 GMT https://community.hpe.com/t5/operating-system-hp-ux/auditing-problem/m-p/3340270#M746759 James Candalino 2004-07-24T14:12:37Z https://community.hpe.com/t5/operating-system-hp-ux/auditing-problem/m-p/3340271#M746760 Hi,<BR /><BR />2. I believe you can only have the path as typed by the user. Perhaps monitoring chdir() may help.<BR /><BR />3. Yes, root can be audited - use audusr to check whether this has been set. The user=?????? comes from situations where the user cannot be determined. I think login might be one of these situations, as the user isn't known when the command starts.<BR /><BR />regards,<BR /><BR />Darren. Mon, 26 Jul 2004 06:41:49 GMT https://community.hpe.com/t5/operating-system-hp-ux/auditing-problem/m-p/3340271#M746760 Darren Prior 2004-07-26T06:41:49Z