1audit_class(4) File Formats audit_class(4)
2
6 audit_class - audit class definitions
7
9 /etc/security/audit_class
10
13 /etc/security/audit_class is a user-configurable ASCII system file that
14 stores class definitions used in the audit system. Audit events in
15 audit_event(4) are mapped to one or more of the defined audit classes.
16 audit_event can be updated in conjunction with changes to audit_class.
17 See audit_control(4) and audit_user(4) for information about changing
18 the preselection of audit classes in the audit system. Programs can use
19 the getauclassent(3BSM) routines to access audit class information.
20 The fields for each class entry are separated by colons. Each class
23 entry is a bitmap and is separated from each other by a newline.
24 Each entry in the audit_class file has the form:
27 mask:name:description
29 The fields are defined as follows:
33 mask class mask
35 name class name
38 description class description
41 Each class is represented as a bit in the class mask which is an
45 unsigned integer. Thus, there are 32 different classes available. Meta-
46 classes can also be defined. These are supersets composed of multiple
47 base classes, and thus will have more than 1 bit in its mask. See Exam‐
48 ples. Two special meta-classes are also pre-defined: all, and no.
49 all Represents a conjunction of all allowed classes, and is provided
51 as a shorthand method of specifying all classes.
52 no Is the invalid class, and any event mapped solely to this class
55 will not be audited. Turning auditing on to the all meta class
56 will not cause events mapped solely to the no class to be writ‐
57 ten to the audit trail. This class is also used to map obsolete
58 events which are no longer generated. Obsolete events are
59 retained to process old audit trails files.
60
63 Example 1 Using an audit_class File
64 The following is an example of an audit_class file:
67 0x00000000:no:invalid class
70 0x00000001:fr:file read
71 0x00000002:fw:file write
72 0x00000004:fa:file attribute access
73 0x00000008:fm:file attribute modify
74 0x00000010:fc:file create
75 0x00000020:fd:file delete
76 0x00000040:cl:file close
77 0x00000100:nt:network
78 0x00000200:ip:ipc
79 0x00000400:na:non-attribute
80 0x00001000:lo:login or logout
81 0x00004000:ap:application
82 0x000f0000:ad:old administrative (meta-class)
83 0x00070000:am:administrative (meta-class)
84 0x00010000:ss:change system state
85 0x00020000:as:system-wide administration
86 0x00040000:ua:user administration
87 0x00080000:aa:audit utilization
88 0x00300000:pc:process (meta-class)
89 0x00100000:ps:process start/stop
90 0x00200000:pm:process modify
91 0x20000000:io:ioctl
92 0x40000000:ex:exec
93 0x80000000:ot:other
94 0xffffffff:all:all classes (meta-class)
95
99 /etc/security/audit_class
100
103 See attributes(5) for descriptions of the following attributes:
104 ┌─────────────────────────────┬─────────────────────────────┐
109 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
110 ├─────────────────────────────┼─────────────────────────────┤
111 │Interface Stability │ See below. │
112 └─────────────────────────────┴─────────────────────────────┘
113 The file format stability is Committed. The file content is Uncommit‐
116 ted.
117
119 bsmconv(1M), au_preselect(3BSM), getauclassent(3BSM), audit_control(4),
120 audit_event(4), audit_user(4), attributes(5)
121 Part VII, Solaris Auditing, in System Administration Guide: Security
124 Services
125
127 It is possible to deliberately turn on the no class in the kernel, in
128 which case the audit trail will be flooded with records for the audit
129 event AUE_NULL.
130 This functionality is available only if Solaris Auditing has been
133 enabled. See bsmconv(1M) for more information.
134SunOS 5.11 26 Jun 2008 audit_class(4)