Unix/Linux Go Back    

OpenSolaris 2009.06 - man page for audit_class (opensolaris section 4)

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)

audit_class(4)				   File Formats 			   audit_class(4)

       audit_class - audit class definitions


       /etc/security/audit_class is a user-configurable ASCII system file that stores class defi-
       nitions used in the audit system. Audit events in audit_event(4) are mapped to one or more
       of  the	defined  audit classes. audit_event can be updated in conjunction with changes to
       audit_class. See audit_control(4) and audit_user(4) for	information  about  changing  the
       preselection  of  audit	classes  in  the  audit  system.  Programs  can  use  the  getau-
       classent(3BSM) routines to access audit class information.

       The fields for each class entry are separated by colons. Each class entry is a bitmap  and
       is separated from each other by a newline.

       Each entry in the audit_class file has the form:


       The fields are defined as follows:

       mask	      class mask

       name	      class name

       description    class description

       Each  class  is represented as a bit in the class mask which is an unsigned integer. Thus,
       there are 32 different classes available. Meta-classes can  also  be  defined.  These  are
       supersets  composed  of	multiple  base classes, and thus will have more than 1 bit in its
       mask. See Examples. Two special meta-classes are also pre-defined: all, and no.

       all    Represents a conjunction of all allowed classes, and is  provided  as  a	shorthand
	      method of specifying all classes.

       no     Is  the  invalid	class,	and  any  event  mapped  solely to this class will not be
	      audited. Turning auditing on to the all meta class will  not  cause  events  mapped
	      solely to the no class to be written to the audit trail. This class is also used to
	      map obsolete events which are no longer generated. Obsolete events are retained  to
	      process old audit trails files.

       Example 1 Using an audit_class File

       The following is an example of an audit_class file:

	 0x00000000:no:invalid class
	 0x00000001:fr:file read
	 0x00000002:fw:file write
	 0x00000004:fa:file attribute access
	 0x00000008:fm:file attribute modify
	 0x00000010:fc:file create
	 0x00000020:fd:file delete
	 0x00000040:cl:file close
	 0x00001000:lo:login or logout
	 0x000f0000:ad:old administrative (meta-class)
	 0x00070000:am:administrative (meta-class)
	 0x00010000:ss:change system state
	 0x00020000:as:system-wide administration
	 0x00040000:ua:user administration
	 0x00080000:aa:audit utilization
	 0x00300000:pc:process (meta-class)
	 0x00100000:ps:process start/stop
	 0x00200000:pm:process modify
	 0xffffffff:all:all classes (meta-class)


       See attributes(5) for descriptions of the following attributes:

       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       |Interface Stability	     | See below.		   |

       The file format stability is Committed. The file content is Uncommitted.

       bsmconv(1M),  au_preselect(3BSM),  getauclassent(3BSM),	audit_control(4), audit_event(4),
       audit_user(4), attributes(5)

       Part VII, Solaris Auditing, in System Administration Guide: Security Services

       It is possible to deliberately turn on the no class in the kernel, in which case the audit
       trail will be flooded with records for the audit event AUE_NULL.

       This  functionality  is	available  only  if   Solaris Auditing has been enabled. See bsm-
       conv(1M) for more information.

SunOS 5.11				   26 Jun 2008				   audit_class(4)
Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums

All times are GMT -4. The time now is 10:53 AM.