1audit_class(4)                   File Formats                   audit_class(4)
2
3
4

NAME

6       audit_class - audit class definitions
7

SYNOPSIS

9       /etc/security/audit_class
10
11

DESCRIPTION

13       /etc/security/audit_class is a user-configurable ASCII system file that
14       stores class definitions used in the  audit  system.  Audit  events  in
15       audit_event(4)  are mapped to one or more of the defined audit classes.
16       audit_event can be updated in conjunction with changes to  audit_class.
17       See  audit_control(4)  and audit_user(4) for information about changing
18       the preselection of audit classes in the audit system. Programs can use
19       the getauclassent(3BSM) routines to access audit class information.
20
21
22       The  fields  for  each  class entry are separated by colons. Each class
23       entry is a bitmap and is separated from each other by a newline.
24
25
26       Each entry in the audit_class file has the form:
27
28         mask:name:description
29
30
31
32       The fields are defined as follows:
33
34       mask           class mask
35
36
37       name           class name
38
39
40       description    class description
41
42
43
44       Each class is represented as a bit  in  the  class  mask  which  is  an
45       unsigned integer. Thus, there are 32 different classes available. Meta-
46       classes can also be defined. These are supersets composed  of  multiple
47       base classes, and thus will have more than 1 bit in its mask. See Exam‐
48       ples. Two special meta-classes are also pre-defined: all, and no.
49
50       all    Represents a conjunction of all allowed classes, and is provided
51              as a shorthand method of specifying all classes.
52
53
54       no     Is  the invalid class, and any event mapped solely to this class
55              will not be audited. Turning auditing on to the all  meta  class
56              will  not cause events mapped solely to the no class to be writ‐
57              ten to the audit trail. This class is also used to map  obsolete
58              events  which  are  no  longer  generated.  Obsolete  events are
59              retained to process old audit trails files.
60
61

EXAMPLES

63       Example 1 Using an audit_class File
64
65
66       The following is an example of an audit_class file:
67
68
69         0x00000000:no:invalid class
70         0x00000001:fr:file read
71         0x00000002:fw:file write
72         0x00000004:fa:file attribute access
73         0x00000008:fm:file attribute modify
74         0x00000010:fc:file create
75         0x00000020:fd:file delete
76         0x00000040:cl:file close
77         0x00000100:nt:network
78         0x00000200:ip:ipc
79         0x00000400:na:non-attribute
80         0x00001000:lo:login or logout
81         0x00004000:ap:application
82         0x000f0000:ad:old administrative (meta-class)
83         0x00070000:am:administrative (meta-class)
84         0x00010000:ss:change system state
85         0x00020000:as:system-wide administration
86         0x00040000:ua:user administration
87         0x00080000:aa:audit utilization
88         0x00300000:pc:process (meta-class)
89         0x00100000:ps:process start/stop
90         0x00200000:pm:process modify
91         0x20000000:io:ioctl
92         0x40000000:ex:exec
93         0x80000000:ot:other
94         0xffffffff:all:all classes (meta-class)
95
96
97

FILES

99       /etc/security/audit_class
100
101

ATTRIBUTES

103       See attributes(5) for descriptions of the following attributes:
104
105
106
107
108       ┌─────────────────────────────┬─────────────────────────────┐
109       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
110       ├─────────────────────────────┼─────────────────────────────┤
111       │Interface Stability          │ See below.                  │
112       └─────────────────────────────┴─────────────────────────────┘
113
114
115       The file format stability is Committed. The file content  is  Uncommit‐
116       ted.
117

SEE ALSO

119       bsmconv(1M), au_preselect(3BSM), getauclassent(3BSM), audit_control(4),
120       audit_event(4), audit_user(4), attributes(5)
121
122
123       Part VII, Solaris Auditing, in System  Administration  Guide:  Security
124       Services
125

NOTES

127       It  is  possible to deliberately turn on the no class in the kernel, in
128       which case the audit trail will be flooded with records for  the  audit
129       event AUE_NULL.
130
131
132       This  functionality  is  available  only  if  Solaris Auditing has been
133       enabled. See bsmconv(1M) for more information.
134
135
136
137SunOS 5.11                        26 Jun 2008                   audit_class(4)
Impressum