Auditable events

Process control events

The following events record actions related to the control of processes in the operating system. The majority of these events can be expected to occur frequently during normal use of the system. Therefore, the presence of these events in the log file does not automatically indicate a security problem. However, malicious users may try to use the setgid or setuid system calls to read data that they are not normally allowed to access. You may want to audit the set_gid and set_uid events to ensure that these system calls are always being used correctly.

Process control events

Event Description Manual page Object audit

exec execute an object exec(2) N

exit terminate a process exit(2), _lwp_exit(2) N

kill post a signal kill(2), _lwp_kill(2), sigsendset(2) N

fork create a new process vfork(2), _lwp_create(2), fork(2), fork1(2), forkall(2) N

set_gid change group ID setgid(2) N

set_grps set multiple groups setgroups(2) N

set_pgrps set process groups setpgrp(2) N

set_sid assign a session ID setsid(2) N

set_uid change user ID setuid(2) N

Event	Description	Manual page	Object audit
exec	execute an object	exec(2)	N
exit	terminate a process	exit(2), _lwp_exit(2)	N
kill	post a signal	kill(2), _lwp_kill(2), sigsendset(2)	N
fork	create a new process	vfork(2), _lwp_create(2), fork(2), fork1(2), forkall(2)	N
set_gid	change group ID	setgid(2)	N
set_grps	set multiple groups	setgroups(2)	N
set_pgrps	set process groups	setpgrp(2)	N
set_sid	assign a session ID	setsid(2)	N
set_uid	change user ID	setuid(2)	N