xref: /titanic_41/usr/src/man/man4/audit_class.4 (revision ead9bb4b1be81d7bbf8ed86ee41d6c1e58b069a3)
te
Copyright (c) 2008, Sun Microsystems, Inc.
The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
audit_class 4 "26 Jun 2008" "SunOS 5.11" "File Formats"
NAME
audit_class - audit class definitions
SYNOPSIS

/etc/security/audit_class
DESCRIPTION

/etc/security/audit_class is a user-configurable ASCII system file that stores class definitions used in the audit system. Audit events in audit_event(4) are mapped to one or more of the defined audit classes. audit_event can be updated in conjunction with changes to audit_class. See audit_control(4) and audit_user(4) for information about changing the preselection of audit classes in the audit system. Programs can use the getauclassent(3BSM) routines to access audit class information.

The fields for each class entry are separated by colons. Each class entry is a bitmap and is separated from each other by a newline.

Each entry in the audit_class file has the form:

mask:name:description

The fields are defined as follows:

mask

class mask

name

class name

description

class description

Each class is represented as a bit in the class mask which is an unsigned integer. Thus, there are 32 different classes available. Meta-classes can also be defined. These are supersets composed of multiple base classes, and thus will have more than 1 bit in its mask. See Examples. Two special meta-classes are also pre-defined: all, and no.

all

Represents a conjunction of all allowed classes, and is provided as a shorthand method of specifying all classes.

no

Is the invalid class, and any event mapped solely to this class will not be audited. Turning auditing on to the all meta class will not cause events mapped solely to the no class to be written to the audit trail. This class is also used to map obsolete events which are no longer generated. Obsolete events are retained to process old audit trails files.

EXAMPLES

Example 1 Using an audit_class File

The following is an example of an audit_class file:

0x00000000:no:invalid class
0x00000001:fr:file read
0x00000002:fw:file write
0x00000004:fa:file attribute access
0x00000008:fm:file attribute modify
0x00000010:fc:file create
0x00000020:fd:file delete
0x00000040:cl:file close
0x00000100:nt:network
0x00000200:ip:ipc
0x00000400:na:non-attribute
0x00001000:lo:login or logout
0x00004000:ap:application
0x000f0000:ad:old administrative (meta-class)
0x00070000:am:administrative (meta-class)
0x00010000:ss:change system state
0x00020000:as:system-wide administration
0x00040000:ua:user administration
0x00080000:aa:audit utilization
0x00300000:pc:process (meta-class)
0x00100000:ps:process start/stop
0x00200000:pm:process modify
0x20000000:io:ioctl
0x40000000:ex:exec
0x80000000:ot:other
0xffffffff:all:all classes (meta-class)
FILES

/etc/security/audit_class

ATTRIBUTES

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPEATTRIBUTE VALUE
Interface Stability See below.

The file format stability is Committed. The file content is Uncommitted.

SEE ALSO

bsmconv(1M), au_preselect(3BSM), getauclassent(3BSM), audit_control(4), audit_event(4), audit_user(4), attributes(5)

Part VII, Solaris Auditing, in System Administration Guide: Security Services

NOTES

It is possible to deliberately turn on the no class in the kernel, in which case the audit trail will be flooded with records for the audit event AUE_NULL.

This functionality is available only if Solaris Auditing has been enabled. See bsmconv(1M) for more information.