'\" te .\" Copyright (c) 2008, Sun Microsystems, Inc. .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License. .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] .TH AUDIT_EVENT 4 "Jun 26, 2008" .SH NAME audit_event \- audit event definition and class mapping .SH SYNOPSIS .LP .nf \fB/etc/security/audit_event\fR .fi .SH DESCRIPTION .sp .LP \fB/etc/security/audit_event\fR is a user-configurable ASCII system file that stores event definitions used in the audit system. As part of this definition, each event is mapped to one or more of the audit classes defined in \fBaudit_class\fR(4). See \fBaudit_control\fR(4) and \fBaudit_user\fR(4) for information about changing the preselection of audit classes in the audit system. Programs can use the \fBgetauevent\fR(3BSM) routines to access audit event information. .sp .LP The fields for each event entry are separated by colons. Each event is separated from the next by a NEWLINE.Each entry in the audit_event file has the form: .sp .in +2 .nf \fInumber\fR:\fIname\fR:\fIdescription\fR:\fIflags\fR .fi .in -2 .sp .LP The fields are defined as follows: .sp .ne 2 .na \fB\fInumber\fR\fR .ad .RS 15n Event number. .sp Event number ranges are assigned as follows: .sp .ne 2 .na \fB\fB0\fR\fR .ad .RS 15n Reserved as an invalid event number. .RE .sp .ne 2 .na \fB\fB1-2047\fR\fR .ad .RS 15n Reserved for the Solaris Kernel events. .RE .sp .ne 2 .na \fB\fB2048-32767\fR\fR .ad .RS 15n Reserved for the Solaris TCB programs. .RE .sp .ne 2 .na \fB\fB32768-65535\fR\fR .ad .RS 15n Available for third party TCB applications. .sp System administrators must \fBnot\fR add, delete, or modify (except to change the class mapping), events with an event number less than \fB32768\fR. These events are reserved by the system. .RE .RE .sp .ne 2 .na \fB\fIname\fR\fR .ad .RS 15n Event name. .RE .sp .ne 2 .na \fB\fIdescription\fR\fR .ad .RS 15n Event description. .RE .sp .ne 2 .na \fB\fIflags\fR\fR .ad .RS 15n Flags specifying classes to which the event is mapped. Classes are comma separated, without spaces. .sp Obsolete events are commonly assigned to the special class \fBno\fR (invalid) to indicate they are no longer generated. Obsolete events are retained to process old audit trail files. Other events which are not obsolete may also be assigned to the \fBno\fR class. .RE .SH EXAMPLES .LP \fBExample 1 \fRUsing the \fBaudit_event\fR File .sp .LP The following is an example of some \fBaudit_event\fR file entries: .sp .in +2 .nf 7:AUE_EXEC:exec(2):ps,ex 79:AUE_OPEN_WTC:open(2) - write,creat,trunc:fc,fd,fw 6152:AUE_login:login - local:lo 6153:AUE_logout:logout:lo 6154:AUE_telnet:login - telnet:lo 6155:AUE_rlogin:login - rlogin:lo .fi .in -2 .sp .SH ATTRIBUTES .sp .LP See \fBattributes\fR(5) for descriptions of the following attributes: .sp .sp .TS box; c | c l | l . ATTRIBUTE TYPE ATTRIBUTE VALUE _ Interface Stability See below. .TE .sp .LP The file format stability is Committed. The file content is Uncommitted. .SH FILES .sp .ne 2 .na \fB\fB/etc/security/audit_event\fR\fR .ad .RS 29n .RE .SH SEE ALSO .sp .LP \fBbsmconv\fR(1M), \fBgetauevent\fR(3BSM), \fBaudit_class\fR(4), \fBaudit_control\fR(4), \fBaudit_user\fR(4) .sp .LP Part\ VII, \fISolaris Auditing,\fR in \fISystem Administration Guide: Security Services\fR .SH NOTES .sp .LP This functionality is available only if Solaris Auditing has been enabled. See \fBbsmconv\fR(1M) for more information.