audit_event(4)

1audit_event(4)                   File Formats                   audit_event(4)
2
3
4

NAME

6       audit_event - audit event definition and class mapping
7

SYNOPSIS

9       /etc/security/audit_event
10
11

DESCRIPTION

13       /etc/security/audit_event is a user-configurable ASCII system file that
14       stores event definitions used in the audit system. As part of this def‐
15       inition,  each  event  is  mapped  to  one or more of the audit classes
16       defined in audit_class(4). See audit_control(4) and  audit_user(4)  for
17       information  about  changing  the  preselection of audit classes in the
18       audit system. Programs can use the getauevent(3BSM) routines to  access
19       audit event information.
20
21
22       The  fields for each event entry are separated by colons. Each event is
23       separated from the next by a NEWLINE.Each entry in the audit_event file
24       has the form:
25
26         number:name:description:flags
27
28
29
30       The fields are defined as follows:
31
32       number         Event number.
33
34                      Event number ranges are assigned as follows:
35
36                      0              Reserved as an invalid event number.
37
38
39                      1-2047         Reserved for the Solaris Kernel events.
40
41
42                      2048-32767     Reserved for the Solaris TCB programs.
43
44
45                      32768-65535    Available  for  third  party TCB applica‐
46                                     tions.
47
48                                     System  administrators  must   not   add,
49                                     delete,  or  modify (except to change the
50                                     class mapping), events with an event num‐
51                                     ber  less  than  32768.  These events are
52                                     reserved by the system.
53
54
55
56       name           Event name.
57
58
59       description    Event description.
60
61
62       flags          Flags specifying classes to which the event  is  mapped.
63                      Classes are comma separated, without spaces.
64
65                      Obsolete  events  are  commonly  assigned to the special
66                      class no (invalid) to indicate they are no longer gener‐
67                      ated.  Obsolete events are retained to process old audit
68                      trail files. Other events which  are  not  obsolete  may
69                      also be assigned to the no class.
70
71

EXAMPLES

73       Example 1 Using the audit_event File
74
75
76       The following is an example of some audit_event file entries:
77
78
79         7:AUE_EXEC:exec(2):ps,ex
80         79:AUE_OPEN_WTC:open(2) - write,creat,trunc:fc,fd,fw
81         6152:AUE_login:login - local:lo
82         6153:AUE_logout:logout:lo
83         6154:AUE_telnet:login - telnet:lo
84         6155:AUE_rlogin:login - rlogin:lo
85
86
87

ATTRIBUTES

89       See attributes(5) for descriptions of the following attributes:
90
91
92
93
94       ┌─────────────────────────────┬─────────────────────────────┐
95       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
96       ├─────────────────────────────┼─────────────────────────────┤
97       │Interface Stability          │ See below.                  │
98       └─────────────────────────────┴─────────────────────────────┘
99
100
101       The  file  format stability is Committed. The file content is Uncommit‐
102       ted.
103

FILES

105       /etc/security/audit_event
106
107

NOTES

117       This functionality is available only  if   Solaris  Auditing  has  been
118       enabled. See bsmconv(1M) for more information.
119
120
121
122SunOS 5.11                        26 Jun 2008                   audit_event(4)