IBM 10 SP1 EAL4 Manual De Usuario
Event Description
LAF audit events
Startup and shutdown of audit functions
DAEMON_START, DAEMON_END are generated by
auditd
Modification of audit configuration files
DAEMON_CONFIG, DAEMON_RECONFIG are
generated by auditd. Syscalls open, link,
unlink, rename, truncate, write on
unlink, rename, truncate, write on
configuration files
Successful and unsuccessful file read/write
Syscall open
Audit storage space exceeds a threshold
space_left_action,
admin_space_left_action configuration
admin_space_left_action configuration
parameters for auditd.
Audit storage space failure
disk_full_action, disk_error_action
configuration parameters for auditd.
Operation on file system objects
Syscalls chmod, chown, setxattr,
removexattr, link, symlink, mknod, open,
rename, truncate, unlink, rmdir, mount,
umount, semtimedop
removexattr, link, symlink, mknod, open,
rename, truncate, unlink, rmdir, mount,
umount, semtimedop
Operations on message queue
Syscalls msgctl, msgget
Operations on semaphores
Syscalls semget, semctl, semop,
semtimedop.
semtimedop.
Operations on shared memory segments
Syscalls shmget, shmctl
Rejection or acceptance by the TSF of any tested
secret.
secret.
Audit record type: USER_AUTH from PAM
framework and audit record type:
USER_CHAUTHTOK from shadow utilities.
USER_CHAUTHTOK from shadow utilities.
Use of identification and authentication
mechanism
mechanism
Audit record type: USER_AUTH,
USER_CHAUTHTOK from PAM framework.
USER_CHAUTHTOK from PAM framework.
Success and failure of binding user security
attributes to a subject (e.g. success and failure to
create a subject)
attributes to a subject (e.g. success and failure to
create a subject)
Audit record type: LOGIN from pam_login.so
module. Syscalls: fork and clone.
All modification of subject security values
Syscalls chmod, chown, setxattr, msgctl,
semctl, shmctl, removexattr, truncate
semctl, shmctl, removexattr, truncate
Modifications of the default setting of
permissive of restrictive rules
permissive of restrictive rules
Syscalls umask, open
Modification of TSF data
Syscalls open, rename, link, unlink,
truncate, chmod, chown, setxattr,
removexattr (of audit log files and audit
truncate, chmod, chown, setxattr,
removexattr (of audit log files and audit
configuration files), messages from shadow suites,
audit record type: USER_CHAUTHTOK.
audit record type: USER_CHAUTHTOK.
Modifications to the group of users that are part
of a role
of a role
Audit messages from trusted programs in the
shadow suite, audit record type:
USER_CHAUTHTOK.
shadow suite, audit record type:
USER_CHAUTHTOK.
145