How Does Auditing Work?

Auditing is the generation of audit records when specified events occur. Most commonly, events that generate audit records include the following:

• System startup and system shutdown

• Login and logout

• Process creation or process destruction, or thread creation or thread destruction

• Opening, closing, creating, destroying, or renaming of objects

• Use of root capabilities or role capabilities

• Identification, and authentication actions

• Discretionary Access Control (DAC) changes by a process or user

• Installation-specific administrative actions

Audit records are generated from three sources:

• By an application

• As a result of an asynchronous event

• As a result of a process system call

Once the relevant event information has been captured, the information is formatted into an audit record. The record is then placed in a kernel buffer known as the audit queue. From this temporary location within the kernel, audit records are written to audit files. Where the audit files are located is determined by entries in the audit_control file. The location can include multiple partitions on the same machine, partitions on different machines, or partitions on machines on different but linked networks. The collection of audit files that are linked together is considered an audit trail.

Audit records accumulate in audit files chronologically. Contained in each audit record is information that identifies the event, what caused the event, the time of the event, and other relevant information.