|
|
The auditing subsystem is an event-based system, in which data is recorded whenever an audited event occurs. An event represents a single action that may affect the security of the system. Events are triggered by either system calls or user-level commands. For auditable events triggered by system calls, the kernel writes the audit data in the format of an audit record. For auditable events triggered by user-level commands, the command invokes the audit system call, auditdmp(2), to record the audit record.
As the audit administrator, you select which events are to be audited. The selected events are recorded and maintained in data structures referred to as event masks. The following subsections explain the use of event masks and the kernel processing required to determine when an audit record is generated.