opensolaris man page for audit_event

Opensolaris Man Pages All Man Pages Latest Topics Forum Categories

Query: audit_event

OS: opensolaris

Section: 4

Format: Original Unix Latex Style Formatted with HTML and a Horizontal Scroll Bar

audit_event(4)							   File Formats 						    audit_event(4)


NAME

       audit_event - audit event definition and class mapping


SYNOPSIS

       /etc/security/audit_event


DESCRIPTION

       /etc/security/audit_event  is a user-configurable ASCII system file that stores event definitions used in the audit system. As part of this
       definition, each event is mapped to one or more of the audit classes defined in audit_class(4). See audit_control(4) and audit_user(4)  for
       information  about changing the preselection of audit classes in the audit system. Programs can use the getauevent(3BSM) routines to access
       audit event information.

       The fields for each event entry are separated by colons. Each event is separated from the next by a NEWLINE.Each entry in  the  audit_event
       file has the form:

	 number:name:description:flags

       The fields are defined as follows:

       number	      Event number.

		      Event number ranges are assigned as follows:

		      0 	     Reserved as an invalid event number.

		      1-2047	     Reserved for the Solaris Kernel events.

		      2048-32767     Reserved for the Solaris TCB programs.

		      32768-65535    Available for third party TCB applications.

				     System  administrators  must  not add, delete, or modify (except to change the class mapping), events with an
				     event number less than 32768. These events are reserved by the system.

       name	      Event name.

       description    Event description.

       flags	      Flags specifying classes to which the event is mapped. Classes are comma separated, without spaces.

		      Obsolete events are commonly assigned to the special class no (invalid) to indicate they are no longer  generated.  Obsolete
		      events  are  retained  to  process old audit trail files. Other events which are not obsolete may also be assigned to the no
		      class.


EXAMPLES

       Example 1 Using the audit_event File

       The following is an example of some audit_event file entries:

	 7:AUE_EXEC:exec(2):ps,ex
	 79:AUE_OPEN_WTC:open(2) - write,creat,trunc:fc,fd,fw
	 6152:AUE_login:login - local:lo
	 6153:AUE_logout:logout:lo
	 6154:AUE_telnet:login - telnet:lo
	 6155:AUE_rlogin:login - rlogin:lo


ATTRIBUTES

       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     | See below.		   |
       +-----------------------------+-----------------------------+

       The file format stability is Committed. The file content is Uncommitted.


FILES

       /etc/security/audit_event


SEE ALSO

       bsmconv(1M), getauevent(3BSM), audit_class(4), audit_control(4), audit_user(4)

       Part VII, Solaris Auditing, in System Administration Guide: Security Services


NOTES

       This functionality is available only if	Solaris Auditing has been enabled. See bsmconv(1M) for more information.

SunOS 5.11							    26 Jun 2008 						    audit_event(4)
Related Man Pages
audit_event(4) - sunos
audit_event(4) - x11r4
audit_event(4) - centos
audit_event(4) - opendarwin
audit_event(4) - xfree86
Similar Topics in the Unix Linux Community
Auditing User administrator
Security Event Management (SEM) with CEP (Part 4) - The 5 Principles of SEM
Security Event Management (SEM) with CEP (Part 2) - Trends in Cyberspace
Security Event Managment (SEM) with CEP (Part 1)
What is Complex Event Processing? (Part 7)