The following table lists the AIX Audit Events.
Table E-1 AIX Audit Events
| Source Event | Event Description | Command Class | Target Type |
|---|---|---|---|
|
PROC_Create |
Creates a new process. |
CREATE |
PROCEDURE |
|
PROC_Delete |
Terminates the calling process. |
DELETE |
PROCEDURE |
|
PROC_Execute |
Executes a new program. |
EXECUTE |
PROCEDURE |
|
FILE_Accessx |
Determines the accessibility of a file |
RETRIEVE |
FILE |
|
FILE_StatAcl |
Retrieves the access control information for a file. |
RETRIEVE |
FILE |
|
FILE_Frevoke |
Revokes access to a file by other processes. |
REVOKE |
FILE |
|
PROC_Environ |
Change various piece of user information data. |
ALTER |
USER_INFORMATION |
|
PROC_SetSignal |
Action to take upon delivery of signal. |
SET |
PROCEDURE |
|
PROC_Limits |
Controls max system resource consumption |
SET |
SYSTEM_RESOURCE |
|
PROC_Setpri |
Sets fixed priority for process. |
EXECUTE |
FUNCTION |
|
PROC_Privilege |
Changes one or more privilege vectors for process. |
ALTER |
PROCESS |
|
PROC_Settimer |
Sets current value for a specified system wide timer. |
SET |
TIMER |
|
PROC_Adjtime |
Changes system clock. |
ALTER |
SYSTEM_CLOCK |
|
PROC_Debug |
Traces the execution of another process. |
TRACE |
PROCESS |
|
PROC_Kill |
Sends a signal to a process or group of processes. |
STOP |
PROCESS |
|
PROC_setpgid |
Sets the process id group. |
SET |
PROCESS_ID |
|
PROC_Load |
Loads new object module into process address space. |
ASSIGN |
PROCESS |
|
PROC_SetGroups |
Change process concurrent group set. |
ALTER |
PROCESS |
|
PROC_Sysconfig |
Calls to the sysconfig subroutine. |
EXECUTE |
SYSCONFIG |
|
AUD_Bin_Def |
Modification of auditbin. |
ALTER |
AUDIT_BIN |
|
AUD_Events |
Modification of Events. |
ALTER |
AUDIT_EVENTS |
|
AUD_Objects |
Modification of auditobj. |
ALTER |
AUDIT_OBJETCS |
|
ACCT_Disable |
Disables system accounting. |
DISABLE |
SYSTEM_ACCOUNTING |
|
ACCT_Enable |
Enables system accounting. |
ENABLE |
SYSTEM_ACCOUNTING |
|
FILE_Open |
calls to the open subroutine. |
OPEN |
FILE |
|
FILE_Read |
Reads from file descriptor. |
READ |
FILE |
|
FILE_Write |
Writes data to descriptor. |
WRITE |
FILE |
|
FILE_Close |
Closes open file descriptor. |
CLOSE |
FILE |
|
FILE_Link |
Creates new directory entry for file. |
CREATE |
LINK |
|
FILE_Unlink |
Removes a file system object. |
DELETE |
FILE |
|
FILE_Rename |
Changes name of a file system object. |
RENAME |
FILE |
|
FILE_Owner |
Changes file ownership. |
ALTER |
OWNER |
|
FILE_Mode |
Changes file mode. |
ALTER |
FILE |
|
FILE_Fchmod |
Changes file permission for file descriptor |
ALTER |
FILE |
|
FILE_Fchown |
Changes ownership for file descriptor. |
ALTER |
FILE |
|
FILE_Truncate |
Calls to the truncate subroutine. |
TRUNCATE |
FILE |
|
FILE_Symlink |
Creates symbolic link. |
CREATE |
SYMBOLIC_LINK |
|
FILE_Pipe |
Creates unnamed pipe. |
CREATE |
PIPE |
|
FILE_Mknod |
Calls to the mknod subroutine. |
CREATE |
NODE |
|
FILE_Dupfd |
Duplicates file descriptor. |
COPY |
FILE |
|
FS_Extend |
Extends file system. |
EXTEND |
FILE |
|
FS_Mount |
Connects file system to named directory. |
CONNECT |
FILE |
|
FS_Umount |
Disconnects mounted file system. |
DISCONNECT |
FILE |
|
FILE_Acl |
Changes file access control list (ACL) |
ALTER |
FILE |
|
FILE_Facl |
Changes ACL for file descriptor. |
ALTER |
FILE_DESCRIPTOR |
|
FILE_Privilege |
Calls to the chpriv subroutine. |
ALTER |
PRIVILEGE |
|
FILE_Chpriv |
Changes privilege control list. |
ALTER |
PRIVILEGE_CONTROL_LIST |
|
FILE_Fchpriv |
Changes PCL for file descriptor. |
ALTER |
FILE_DESCRIPTOR |
|
FS_Chdir |
Changes current working directory. |
ALTER |
DIRECTORY |
|
FS_Fchdir |
Changes current working directory by file descriptor. |
ALTER |
DIRECTORY |
|
FS_Chroot |
Changes meaning of “/” for current process. |
ALTER |
PROCESS |
|
FS_Rmdir |
Removes directory object. |
DELETE |
DIRECTORY |
|
FS_Mkdir |
Creates directory. |
CREATE |
DIRECTORY |
|
FILE_Utimes |
Calls to the utimes subroutine. |
EXECUTE |
PROCESS |
|
FILE_Stat |
Calls to the stat subroutine. |
EXECUTE |
PROCESS |
|
MSG_Create |
Creates new message queue. |
CREATE |
QUEUE |
|
MSG_Read |
Receives message from message queue. |
RECEIVE |
MESSAGE |
|
MSG_Write |
Sends message on message queue. |
SEND |
MESSAGE |
|
MSG_Delete |
Removes message queue. |
DELETE |
MESSAGE |
|
MSG_Owner |
Changes ownership and access right of message queue. |
ALTER |
MESSAGE_QUEUE |
|
MSG_Mode |
Queries semaphore set access rights. |
SET |
ACCESS_RIGHTS |
|
SHM_Create |
Creates new shared memory segment. |
CREATE |
MEMORY_SEGMENT |
|
SHM_Open |
Calls to the shmat subroutine with Open option. |
OPEN |
MEMORY_SEGMENT |
|
SHM_Detach |
Calls to the shmat subroutine with Detach option. |
DISASSOCIATE |
MEMORY_SEGMENT |
|
SHM_Close |
Closes shared memory segment. |
CLOSE |
MEMORY_SEGMENT |
|
SHM_Owner |
Changes ownership and access rights for shared memory segment. |
ALTER |
MEMORY_SEGMENT |
|
SHM_Mode |
Queries access rights of shared memory segment. |
ACCESS |
MEMORY_SEGMENT |
|
TCPIP_config |
Logs changes to TCP/IP interface. |
WRITE |
TCP/IP |
|
TCPIP_host_id |
Logs attempts to change system host name. |
WRITE |
TCP/IP |
|
TCPIP_route |
Logs changes to routing table. |
WRITE |
TCP/IP |
|
TCPIP_connect |
Calls to the connect subroutine. |
CONNECT |
TCP/IP |
|
TCPIP_data_out |
Data sent. |
SEND |
TCP/IP |
|
TCPIP_data_in |
Data received. |
RECEIVE |
TCP/IP |
|
TCPIP_set_time |
Logs attempt to change system time via network. |
SET |
TCP/IP |
|
TCP_ksocket |
Calls to the kernel TCPIP kernel services. |
EXECUTE |
TCP/IP |
|
TCP_ksocketpair |
Calls to the kernel TCPIP kernel services. |
EXECUTE |
TCP/IP |
|
TCP_kclose |
Calls to the kernel TCPIP kernel services. |
CLOSE |
TCP/IP |
|
TCP_ksetopt |
Calls to the kernel TCPIP kernel services. |
SET |
TCP/IP |
|
TCP_kbind |
Calls to the kernel TCPIP kernel services. |
CONNECT |
TCP/IP |
|
TCP_klisten |
Calls to the kernel TCPIP kernel services. |
COMMUNICATE |
TCP/IP |
|
TCP_kconnect |
Calls to the kernel TCPIP kernel services. |
CONNECT |
TCP/IP |
|
TCP_kaccept |
Calls to the kernel TCPIP kernel services. |
CONNECT |
TCP/IP |
|
TCP_kshutdown |
Calls to the kernel TCPIP kernel services. |
SHUTDOWN |
TCP/IP |
|
TCP_ksend |
Calls to the kernel TCPIP kernel services. |
SEND |
TCP/IP |
|
TCP_kreceive |
Calls to the kernel TCPIP kernel services. |
RECEIVE |
TCP/IP |
|
USER_Login |
Calls to the Terminal State Management service. |
LOGIN |
ACCOUNT |
|
SYSCK_Check |
Calls to the sysck function. |
EXECUTE |
PROCEDURE |
|
SYSCK_Update |
Calls to the sysck function. |
UPDATE |
PROCEDURE |
|
SYSCK_Install |
Calls to the sysck function. |
INSTALL |
PROCEDURE |
|
SYSCK_Delete |
Calls to the sysck function. |
DELETE |
PROCEDURE |
|
TCBCK_Check |
Calls to the tcbck function. |
EXECUTE |
FUNCTION |
|
TCBCK_Update |
Calls to the tcbck function. |
UPDATE |
FUNCTION |
|
TCBCK_Delete |
Calls to the tcbck function. |
DELETE |
FUNCTION |
|
USER_Check |
Calls to the usrck function. USRCK_Error |
EXECUTE |
FUNCTION |
|
USER_Logout |
Calls to the logout subroutine. |
LOGOUT |
USER |
|
PORT_Change |
Calls to the chsec subroutine. |
ALTER |
PORT |
|
USER_Change |
Calls to the chuser subroutine. |
ALTER |
USER |
|
USER_Remove |
Removes a user. |
DELETE |
USER |
|
USER_Create |
Creates a user. |
CREATE |
USER |
|
USER_SetGroups |
Calls to the setgroups subroutine. |
SET |
GROUP |
|
USER_SetEnv |
Calls to the setenv subroutine. |
SET |
USER |
|
USER_SU |
Calls to the su subroutine. |
LOGIN |
USER |
|
GROUP_User |
Calls to the grpchk subroutine. |
EXECUTE |
PROCEDURE |
|
GROUP_Adms |
Calls to the grpchk subroutine. |
EXECUTE |
PROCEDURE |
|
GROUP_Change |
Calls to the chgroup subroutine. |
ALTER |
GROUP |
|
GROUP_Create |
Calls to the mkgroup subroutine. |
CREATE |
GROUP |
|
GROUP_Remove |
Calls to the rmgroup subroutine. |
DELETE |
GROUP |
|
PASSWORD_Change |
Changes a user password. |
UPDATE |
USER |
|
PASSWORD_Flags |
Calls to the pwdadm subroutine. |
ALTER |
USER |
|
PASSWORD_Check |
Calls to the pwdck subroutine. |
ALTER |
USER |
|
SRC_Start |
Starts a system resource controller. |
START |
CONTROLLER |
|
SRC_Stop |
Stops a system resource controller. |
STOP |
CONTROLLER |
|
SRC_Addssys |
Calls to the addsys subroutine. |
EXECUTE |
PROCEDURE |
|
SRC_Chssys |
Calls to the chssys subroutine. |
EXECUTE |
PROCEDURE |
|
SRC_Addserver |
Calls to the addserver subroutine. |
EXECUTE |
PROCEDURE |
|
SRC_Chserver |
Calls to the chserver subroutine. |
EXECUTE |
PROCEDURE |
|
SRC_Delssys |
Calls to the rmsys subroutine. |
EXECUTE |
PROCEDURE |
|
SRC_Delserver |
Calls to the rmserver subroutine. |
EXECUTE |
PROCEDURE |
|
ENQUE_admin |
Calls to the enq subroutine. |
EXECUTE |
PROCEDURE |
|
ENQUE_exec |
Calls to the qdaemon subroutine. |
EXECUTE |
PROCEDURE |
|
SENDMAIL_Config |
Calls to the sendmail function. |
EXECUTE |
FUNCTION |
|
SENDMAIL_ToFile |
Calls to the sendmail function. |
EXECUTE |
FUNCTION |
|
AT_JobAdd |
Calls to the at function. |
EXECUTE |
FUNCTION |
|
At_JobRemove |
Calls to the at function. |
EXECUTE |
FUNCTION |
|
CRON_JobRemove |
Calls to the cron function. |
EXECUTE |
FUNCTION |
|
CRON_JobAdd |
Start of a cron job. |
START |
CRON |
|
CRON_Start |
End of a cron job. |
START |
SYSTEM |
|
NVRAM_Config |
Access to the NVRAM. |
ACCESS |
NVRAM |
|
DEV_Configure |
Calls to the cfgmgr function. |
CONFIGURE |
FUNCTION |
|
DEV_Change |
Device changed. |
ALTER |
DEVICE |
|
DEV_Create |
Device created. |
CREATE |
DEVICE |
|
DEV_Start |
Device started. |
START |
DEVICE |
|
INSTALLP_Inst |
Calls to the installp function. |
EXECUTE |
FUNCTION |
|
INSTALLP_Exec |
Calls to the installp function. |
EXECUTE |
FUNCTION |
|
DEV_Stop |
Device stopped. |
STOP |
DEVICE |
|
DEV_Unconfigure |
Device unconfigured. |
DISASSOCIATE |
DEVICE |
|
DEV_Remove |
Device removed. |
DELETE |
DEVICE |
|
DSMIT_start |
Calls to the dsmit function. |
EXECUTE |
FUNCTION |
|
DSMIT_end |
Calls to the dsmit function. |
EXECUTE |
FUNCTION |
|
LVM_ChangeLV |
Calls to the lvm function. |
EXECUTE |
FUNCTION |
|
LVM_ChangeLV |
Calls to the lvm function. |
EXECUTE |
FUNCTION |
|
LVM_ChangeLV |
Calls to the lvm function. |
EXECUTE |
FUNCTION |
|
LVM_ChangeVG |
Calls to the lvm function. |
EXECUTE |
FUNCTION |
|
LVM_ChangeVG |
Calls to the lvm function. |
EXECUTE |
FUNCTION |
|
LVM_ChangeVG |
Calls to the lvm function. |
EXECUTE |
FUNCTION |
|
LVM_CreateLV |
Calls to the lvm function. |
EXECUTE |
FUNCTION |
|
LVM_CreateVG |
Calls to the lvm function. |
EXECUTE |
FUNCTION |
|
LVM_DeleteVG |
Calls to the lvm function. |
EXECUTE |
FUNCTION |
|
LVM_DeleteLV |
Calls to the lvm function. |
EXECUTE |
FUNCTION |
|
LVM_VaryoffVG |
Calls to the lvm function. |
EXECUTE |
FUNCTION |
|
LVM_VaryonVG |
Calls to the lvm function. |
EXECUTE |
LVM |
|
LVM_AddLV |
Calls to the lvm function. |
ADD |
LVM |
|
LVM_KDeleteLV |
Calls to the lvm function. |
DELETE |
LVM |
|
LVM_KDeleteVG |
Deletes a volume group from the kernel. |
DELETE |
VOLUME_GROUP |
|
LVM_ExtendLV |
Calls to the lvm function. |
UPDATE |
LVM |
|
LVM_ReduceLV |
Calls to the lvm function. |
UPDATE |
LVM |
|
LVM_KChangeLV |
Calls to the lvm function. |
UPDATE |
LVM |
|
LVM_AvoidLV |
Calls to the lvm function. |
UPDATE |
LVM |
|
LVM_MissingPV |
Calls to the lvm function. |
UPDATE |
PHYSICAL_VOLUME |
|
LVM_AddPV |
Calls to the lvm function. |
ADD |
PHYSICAL_VOLUME |
|
LVM_AddMissPV |
Calls to the lvm function. |
ADD |
PHYSICAL_VOLUME |
|
LVM_DeletePV |
Calls to the lvm function. |
DELETE |
PHYSICAL_VOLUME |
|
LVM_RemovePV |
Calls to the lvm function. |
DROP |
PHYSICAL_VOLUME |
|
LVM_AddVGSA |
Calls to the lvm function. |
ADD |
PHYSICAL_VOLUME |
|
LVM_DeleteVGSA |
Calls to the lvm function. |
DELETE |
PHYSICAL_VOLUME |
|
LVM_SetupVG |
Calls to the lvm function. |
SET |
VOLUME_GROUP |
|
LVM_DefineVG |
Calls to the lvm function. |
CREATE |
VOLUME_GROUP |
|
LVM_ChgQuorum |
Calls to the lvm function. |
UPDATE |
VOLUME_GROUP |
|
LVM_Chg1016 |
Calls to the lvm function. |
UPDATE |
VOLUME_GROUP |
|
LVM_UnlockDisk |
Calls to the lvm function. |
UNLOCK |
VOLUME_GROUP |
|
LVM_LockDisk |
Calls to the lvm function. |
LOCK |
VOLUME_GROUP |
|
BACKUP_Export |
Calls to the backup/restore function. |
BACKUP |
SYSTEM |
|
BACKUP_Priv |
Calls to the backup/restore function. |
BACKUP |
PRIVILEGE |
|
RESTORE_Import |
Calls to the backup/restore function. |
RESTORE |
SYSTEM |
|
USER_Shell |
Access to the shell. |
ACCESS |
SHELL |
|
USER_Reboot |
Calls to the reboot function. |
START |
SYSTEM |
|
PROC_Reboot |
Calls to the reboot function. |
START |
SYSTEM |