Auditing is the recording of security-relevant activity asit occurs on the system and the subsequent analysis of this auditlog. With auditing, you can monitor users' activity on the systemand, if necessary, reconstruct events leading up to attempts tocompromise the security of your system. Thus, it is not as mucha method of protecting the system and its data as a method of analyzingand recording system use.
Anything that has to do with a user's access to the systemor to a protected object within the system is considered a security-relevantactivity. Such activities are called events.Typical events include the following:
Logins, logouts, or login failures
Changes to the authorization database
Access to a protected object, such as a file, device,or global section
Changes in privileges or the security attributesof protected objects
The operating system can record both successful and unsuccessfulevents. Sometimes the unsuccessful can be more revealing. For example,it is less important to record that a programmer displayed a fileto which he had access than that the same programmer tried to butwas prevented from displaying a protected file.
The event message itself can be written to two places: anaudit log file or an operator terminal that is enabled to receivesecurity class messages. As Sample Alarm Message shows, a message contains the following data:
Date and time of the message
Type of event
Date and time the event occurred
The process identification (PID) of the user whocaused the event
Additional information in auditing messages is specific tothe type of event. See Alarm Messages forexamples of different messages.
Example 1 Sample Alarm Message
%%%%%%%%%%% OPCOM 25-JUL-2001 16:07:09.20 %%%%%%%%%%% Message from user AUDIT$SERVER on GILMORESecurity alarm (SECURITY) on GILMORE, system id: 20300Auditable event: Process suspended ($SUSPND) Event time: 25-JUL-2001 16:07:08.77 PID: 30C00119 Process name: HobbitUsername: HUBERTProcess owner: [LEGAL,HUBERT]Terminal name: RTA1:Image name: $99$DUA0:[SYS0.SYSCOMMON.][SYSEXE]SET.EXEStatus: %SYSTEM-S-NORMAL, normal successful completionTarget PID: 30C00126Target process name: SMISERVERTarget username: SYSTEMTarget process owner: [SYSTEM]