Auditing is the generation of audit records when specified events occur. Most commonly, events that generate audit records include the following:
System startup and system shutdown
Login and logout
Process creation or process destruction, or thread creation or thread destruction
Opening, closing, creating, destroying, or renaming of objects
Use of root capabilities or role capabilities
Identification, and authentication actions
Discretionary Access Control (DAC) changes by a process or user
Installation-specific administrative actions
Audit records are generated from three sources:
By an application
As a result of an asynchronous event
As a result of a process system call
Once the relevant event information has been captured, the information is formatted into an audit record. The record is then placed in a kernel buffer known as the audit queue. From this temporary location within the kernel, audit records are written to audit files. Where the audit files are located is determined by entries in the audit_control file. The location can include multiple partitions on the same machine, partitions on different machines, or partitions on machines on different but linked networks. The collection of audit files that are linked together is considered an audit trail.
Audit records accumulate in audit files chronologically. Contained in each audit record is information that identifies the event, what caused the event, the time of the event, and other relevant information.