File Formats audit_class(4)
NAME
audit_class - audit class definitions
SYNOPSIS
/etc/security/audit_class
DESCRIPTION
/etc/security/audit_class is a user-configurable ASCII sys-
tem file that stores class definitions used in the auditsystem. Audit events in audit_event(4) are mapped to one or
more of the defined audit classes. audit_event can be
updated in conjunction with changes to audit_class. See
auditconfig(1M) and user_attr(4) for information about
changing the preselection of audit classes in the audit sys-
tem. Programs can use the getauclassent(3BSM) routines to access audit class information. The fields for each class entry are separated by colons. Each class entry is a bitmap and is separated from each other by a newline.Each entry in the audit_class file has the form:
mask:name:description The fields are defined as follows: mask class mask name class name description class description Each class is represented as a bit in the class mask which is an unsigned integer. Thus, there are 32 different classesavailable. Meta-classes can also be defined. These are
supersets composed of multiple base classes, and thus will have more than 1 bit in its mask. See Examples. Two specialmeta-classes are also pre-defined: all, and no.
all Represents a conjunction of all allowed classes, and is provided as a shorthand method of specifying all classes.SunOS 5.11 Last change: 8 Jul 2010 1
File Formats audit_class(4)
no Is the invalid class, and any event mapped solely to this class will not be audited. Turning auditing on to the all meta class will not cause events mapped solely to the no class to be written to the audit trail. This class is also used to map obsolete events which are no longer generated. Obsolete events are retained to process old audit trails files.EXAMPLES
Example 1 Using an audit_class File
The following is an example of an audit_class file:
0x00000000:no:invalid class 0x00000001:fr:file read 0x00000002:fw:file write 0x00000004:fa:file attribute access 0x00000008:fm:file attribute modify 0x00000010:fc:file create 0x00000020:fd:file delete 0x00000040:cl:file close 0x00000100:nt:network 0x00000200:ip:ipc0x00000400:na:non-attribute
0x00001000:lo:login or logout 0x00004000:ap:application0x000f0000:ad:old administrative (meta-class)
0x00070000:am:administrative (meta-class)
0x00010000:ss:change system state0x00020000:as:system-wide administration
0x00040000:ua:user administration 0x00080000:aa:audit utilization0x00300000:pc:process (meta-class)
0x00100000:ps:process start/stop 0x00200000:pm:process modify 0x20000000:io:ioctl 0x40000000:ex:exec 0x80000000:ot:other0xffffffff:all:all classes (meta-class)
FILES/etc/security/audit_class
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:SunOS 5.11 Last change: 8 Jul 2010 2
File Formats audit_class(4)
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Interface Stability | See below. ||_____________________________|_____________________________|
The file format stability is Committed. The file content is Uncommitted.SEE ALSO
auditconfig(1M), au_preselect(3BSM), getauclassent(3BSM),
audit_event(4), user_attr(4), attributes(5)
Part VII, Oracle Solaris Auditing, in System Administration Guide: Security Services NOTES It is possible to deliberately turn on the no class in the kernel, in which case the audit trail will be flooded withrecords for the audit event AUE_NULL.
SunOS 5.11 Last change: 8 Jul 2010 3