When you select the type of activities to audit, there are still several options for auditing. For example, if you wish to monitor the removal of files, you can generate an audit record under two conditions:
Below is a list of auditable actions with a short definition of each action and one or more of the appropriate event types that can be audited. Important actions contain a note that they should always be audited:
Any login attempt, whether successful or not, should be audited. Also, an audit record should be generated when the user logs out of the system.
Whenever a user invokes the su command, whether to super-use some administrative account, such as root or another user account, the event should be audited. This is especially true for unsuccessful attempts, as they may indicate attempts at unauthorized access.
Any time a user changes a MAC label on a Trusted IRIX/B system, it is wise to make an audit record of the event. (This does not happen under standard IRIX.)
Whenever a user changes his or her password, it is wise to make an audit record of the event.
Any activity related to system administration should be carefully audited; for example, editing the /etc/fstab file.
When a user invokes the chmod command to change the DAC permissions on a file or the chown command to change the ownership of a file.
Whenever a new link, file, or directory is created.
Whenever a link, file, or directory is removed.
When a new process is created, forked, exited, or killed.
The audit administrator (auditor) can change the audited events by entering a new sat_select command. It is possible to change the selected event types at different times of day, by using the cron utility to execute sat_select periodically.
To tailor your auditing for your specific needs, use the sat_select or satconfig utilities.