System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Need a bare bones audit event list

SOLVED
Go to solution
Linda Card
Frequent Advisor

Need a bare bones audit event list

My audit files (on my Tru64 4.0g) are eating
me out of house and home in the lab environment.
They grow 5 kb a minute with nobody on and
nothing running. I wonder if there are some
calls that I do not need to worry about. The
system in the lab and in production does not
connect to the outside world. I started to
edit the audit_events file (which
is renamed when I installed audit). I was
think I could just delete some of these but
I am not familiar with most of them. Maybe
I just need to audit failures and let the
successes go by.
Does anybody have a barebones audit_events files for C2 security?
This is what I have now with potential deletes marked as such.
(Caution it is long)

TIA,
Linda

! Audited system calls:
exit succeed fail
fork succeed fail Delete
old open succeed fail Delete
close succeed
old creat succeed fail Delete
link succeed fail
unlink succeed fail
execv succeed fail
chdir succeed fail
fchdir succeed fail
mknod succeed fail
chmod succeed fail
chown succeed fail
classcntl succeed fail
mount succeed fail
unmount succeed fail
setuid succeed fail
exec_with_loader succeed fail Delete
ptrace succeed fail Delete
nrecvmsg succeed fail Delete
nsendmsg succeed fail Delete
naccept succeed fail Delete
nrecvfrom succeed fail Delete
access succeed fail
kill succeed fail
old stat succeed fail Delete
setpgid succeed fail Delete
old lstat succeed fail Delete
dup succeed fail
pipe succeed fail Delete
open succeed fail
setlogin succeed fail
acct succeed fail
ioctl succeed fail Delete
reboot succeed fail
revoke succeed fail
symlink succeed fail
readlink succeed fail Delete
execve succeed fail Delete
chroot succeed fail
old fstat succeed fail Delete
vfork succeed fail
stat succeed fail
lstat succeed fail
mmap succeed fail
munmap succeed fail
mprotect succeed fail
old vhangup succeed fail
kmodcall succeed fail
setgroups succeed fail
setpgrp succeed fail
table succeed fail
sethostname succeed fail
dup2 succeed fail
fstat succeed fail
fcntl succeed fail
setpriority succeed fail
socket succeed fail
connect succeed fail
accept succeed fail
bind succeed fail
setsockopt succeed fail
recvmsg succeed fail
sendmsg succeed fail
settimeofday succeed fail
fchown succeed fail
fchmod succeed fail
recvfrom succeed fail
setreuid succeed fail
setregid succeed fail
rename succeed fail
truncate succeed fail
ftruncate succeed fail
setgid succeed fail
sendto succeed fail
shutdown succeed fail
socketpair succeed fail
mkdir succeed fail
rmdir succeed fail
utimes succeed fail
adjtime succeed fail
sethostid succeed fail
old killpg succeed fail
setsid succeed fail
getdirentries succeed fail
setdomainname succeed fail
exportfs succeed fail
getmnt succeed fail
alternate setsid succeed fail
statfs succeed fail
fstatfs succeed fail
getfsstat succeed fail
swapon succeed fail
msgctl succeed fail
msgget succeed fail
msgrcv succeed fail
msgsnd succeed fail
semctl succeed fail
semget succeed fail
semop succeed fail
lchown succeed fail
shmat succeed fail
shmctl succeed fail
shmdt succeed fail
shmget succeed fail
utc_adjtime succeed fail
security succeed fail
kloadcall succeed fail
priocntlset succeed fail
sigsendset succeed fail
msfs_syscall succeed fail
sysinfo succeed fail
uadmin succeed fail
fuser succeed fail
audcntl succeed fail Delete
setsysinfo succeed fail Delete
swapctl succeed fail Delete
memcntl succeed fail Delete
proplist_syscall succeed fail Delete
pid_unblock succeed fail Delete
ntp_adjtime succeed fail Delete


! Audited trusted events:
audit_start succeed fail
audit_stop succeed fail
audit_setup succeed fail
audit_suspend succeed fail
audit_log_change succeed fail
audit_log_creat succeed fail
audit_xmit_fail succeed fail
audit_reboot succeed fail
audit_log_overwrite succeed fail
audit_daemon_exit succeed fail
login succeed fail
logout succeed fail
auth_event succeed fail
audgen8 succeed fail
2 REPLIES
Ann Majeske
Honored Contributor
Solution

Re: Need a bare bones audit event list

Hi Linda,

What you audit should be based on the Security Policy for your site and I'm not the manager of the Security Policy for your site, so I'm not going to make any specific recommendations of things you should audit or not audit. But, I can give you a few pointers on how to set up and use the audit subsystem.

On V5.* systems we (HP) added some "canned" profiles for auditing. If you have access to a V5.* system look at the canned profiles in the audit configuration GUI to get some ideas on what you might want to audit.

The list of "audited system calls" are the audited syscalls on the system. There should be man pages for each of the syscalls, so you can check the man page for any of these system calls to find out exactly what it is and what it does. This should help you in making the decisions to audit or not to audit the individual syscalls.

The list of things that are currently being audited on the system (the auditmask) can be changed dynamically using the auditmask command (see "man auditmask"). So, you dont have to worry about getting this right the first time, you can reconfigure until you get things the way you like :)

For additional information on the audit subsystem see the Security manual for your version:
http://h30097.www3.hp.com/docs/base_doc/DOCUMENTATION/V40G_HTML/AQ0R2ETE/TITLE.HTM
and the man pages for auditd and audit_tool.

Ann
Linda Card
Frequent Advisor

Re: Need a bare bones audit event list

As always, Ann Majeske has put me on the right track for my answer. I don't know what I would do without her and this site. Thanks again and please close this thread.