File Formats auditclass(4)
NAME
auditclass - audit class definitions
SYNOPSIS
/etc/security/auditclass
DESCRIPTION
/etc/security/auditclass is a user-configurable ASCI sys-
tem file that stores class definitions used in the audit
system. Audit events in auditevent(4) are mapped to one or
more of the defined audit classes. auditevent can be
updated in conjunction with changes to auditclass. See
auditcontrol(4) and audituser(4) for information about
changing the preselection of audit classes in the audit sys-
tem. Programs can use the getauclassent(3BSM) routines to
access audit class information.
The fields for each class entry are separated by colons.
Each class entry is a bitmap and is separated from each
other by a newline.
Each entry in the auditclass file has the form:
mask:name:description
The fields are defined as follows:
mask class mask
name class name
description class description
Each class is represented as a bit in the class mask which
is an unsigned integer. Thus, there are 32 different classes
available. Meta-classes can also be defined. These are
supersets composed of multiple base classes, and thus will
have more than 1 bit in its mask. See Examples. Two special
meta-classes are also pre-defined: all, and no.
all Represents a conjunction of all allowed classes, and
is provided as a shorthand method of specifying all
classes.
SunOS 5.11 Last change: 26 Jun 2008 1
File Formats auditclass(4)
no Is the invalid class, and any event mapped solely to
this class will not be audited. Turning auditing on
to the all meta class will not cause events mapped
solely to the no class to be written to the audit
trail. This class is also used to map obsolete events
which are no longer generated. Obsolete events are
retained to process old audit trails files.
EXAMPLES
Example 1 Using an auditclass File
The following is an example of an auditclass file:
0x00000000:no:invalid class
0x00000001:fr:file read
0x00000002:fw:file write
0x00000004:fa:file attribute access
0x00000008:fm:file attribute modify
0x00000010:fc:file create
0x00000020:fd:file delete
0x00000040:cl:file close
0x00000100:nt:network
0x00000200:ip:ipc
0x00000400:na:non-attribute
0x00001000:lo:login or logout
0x00004000:ap:application
0x000f0000:ad:old administrative (meta-class)
0x00070000:am:administrative (meta-class)
0x00010000:ss:change system state
0x00020000:as:system-wide administration
0x00040000:ua:user administration
0x00080000:aa:audit utilization
0x00300000:pc:process (meta-class)
0x00100000:ps:process start/stop
0x00200000:pm:process modify
0x20000000:io:ioctl
0x40000000:ex:exec
0x80000000:ot:other
0xffffffff:all:all classes (meta-class)
FILES
/etc/security/auditclass
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
SunOS 5.11 Last change: 26 Jun 2008 2
File Formats auditclass(4)
ATRIBUTE TYPE ATRIBUTE VALUE
Interface Stability See below.
The file format stability is Committed. The file content is
Uncommitted.
SEE ALSO
bsmconv(1M), aupreselect(3BSM), getauclassent(3BSM),
auditcontrol(4), auditevent(4), audituser(4), attri-
butes(5)
Part VI, Solaris Auditing, in System Administration Guide:
Security Services
NOTES
It is possible to deliberately turn on the no class in the
kernel, in which case the audit trail will be flooded with
records for the audit event AUENUL.
This functionality is available only if Solaris Auditing
has been enabled. See bsmconv(1M) for more information.
SunOS 5.11 Last change: 26 Jun 2008 3
|
