xref: /illumos-gate/usr/src/man/man5/audit_event.5 (revision ddb365bfc9e868ad24ccdcb0dc91af18b10df082) 
 te
 Copyright (c) 2008, Sun Microsystems, Inc.
 The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
 You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
 When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
 AUDIT_EVENT 5 "Mar 6, 2017"
 NAME
audit_event - audit event definition and class mapping

 SYNOPSIS


/etc/security/audit_event




 DESCRIPTION

/etc/security/audit_event is a user-configurable ASCII system file that
stores event definitions used in the audit system. As part of this definition,
each event is mapped to one or more of the audit classes defined in
audit_class(5).
Programs can use the getauevent(3BSM) routines to access audit
event information.


The fields for each event entry are separated by colons. Each event is
separated from the next by a NEWLINE.Each entry in the audit_event file has the
form:

number:name:description:flags





The fields are defined as follows:
number


Event number.
Event number ranges are assigned as follows:
0


Reserved as an invalid event number.



1-2047


Reserved for the Solaris Kernel events.



2048-32767


Reserved for the Solaris TCB programs.



32768-65535


Available for third party TCB applications.
System administrators must not add, delete, or modify (except to change
the class mapping), events with an event number less than 32768. These
events are reserved by the system.






name


Event name.



description


Event description.



flags


Flags specifying classes to which the event is mapped. Classes are comma
separated, without spaces.
Obsolete events are commonly assigned to the special class no (invalid)
to indicate they are no longer generated. Obsolete events are retained to
process old audit trail files. Other events which are not obsolete may also be
assigned to the no class.




 EXAMPLES

Example 1 Using the audit_event File


The following is an example of some audit_event file entries:


7:AUE_EXEC:exec(2):ps,ex
79:AUE_OPEN_WTC:open(2) - write,creat,trunc:fc,fd,fw
6152:AUE_login:login - local:lo
6153:AUE_logout:logout:lo
6154:AUE_telnet:login - telnet:lo
6155:AUE_rlogin:login - rlogin:lo




 ATTRIBUTES

See attributes(7) for descriptions of the following attributes:






ATTRIBUTE TYPE ATTRIBUTE VALUE
Interface Stability See below.




The file format stability is Committed. The file content is Uncommitted.

 FILES
/etc/security/audit_event







 SEE ALSO

 getauevent (3BSM),  audit_class (5)