File Formats auditevent(4)
NAME
auditevent - audit event definition and class mapping
SYNOPSIS
/etc/security/auditevent
DESCRIPTION
/etc/security/auditevent is a user-configurable ASCI sys-
tem file that stores event definitions used in the audit
system. As part of this definition, each event is mapped to
one or more of the audit classes defined in auditclass(4).
See auditcontrol(4) and audituser(4) for information about
changing the preselection of audit classes in the audit sys-
tem. Programs can use the getauevent(3BSM) routines to
access audit event information.
The fields for each event entry are separated by colons.
Each event is separated from the next by a NEWLINE.Each
entry in the auditevent file has the form:
number:name:description:flags
The fields are defined as follows:
number Event number.
Event number ranges are assigned as follows:
0 Reserved as an invalid event
number.
1-2047 Reserved for the Solaris Ker-
nel events.
2048-32767 Reserved for the Solaris TCB
programs.
32768-65535 Available for third party TCB
applications.
System administrators must not
add, delete, or modify (except
to change the class mapping),
events with an event number
less than 32768. These events
SunOS 5.11 Last change: 26 Jun 2008 1
File Formats auditevent(4)
are reserved by the system.
name Event name.
description Event description.
flags Flags specifying classes to which the event
is mapped. Classes are comma separated,
without spaces.
Obsolete events are commonly assigned to the
special class no (invalid) to indicate they
are no longer generated. Obsolete events are
retained to process old audit trail files.
Other events which are not obsolete may also
be assigned to the no class.
EXAMPLES
Example 1 Using the auditevent File
The following is an example of some auditevent file
entries:
7:AUEXEC:exec(2):ps,ex
79:AUEOPENWTC:open(2) - write,creat,trunc:fc,fd,fw
6152:AUElogin:login - local:lo
6153:AUElogout:logout:lo
6154:AUEtelnet:login - telnet:lo
6155:AUErlogin:login - rlogin:lo
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
SunOS 5.11 Last change: 26 Jun 2008 2
File Formats auditevent(4)
ATRIBUTE TYPE ATRIBUTE VALUE
Interface Stability See below.
The file format stability is Committed. The file content is
Uncommitted.
FILES
/etc/security/auditevent
SEE ALSO
bsmconv(1M), getauevent(3BSM), auditclass(4),
auditcontrol(4), audituser(4)
Part VI, Solaris Auditing, in System Administration Guide:
Security Services
NOTES
This functionality is available only if Solaris Auditing
has been enabled. See bsmconv(1M) for more information.
SunOS 5.11 Last change: 26 Jun 2008 3
|
