xref: /titanic_51/usr/src/lib/libbsm/audit_class.txt (revision 00d0963faf2e861a4aef6b1bf28f99a5b2b20755)
1#
2# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
3# Use is subject to license terms.
4#
5# CDDL HEADER START
6#
7# The contents of this file are subject to the terms of the
8# Common Development and Distribution License (the "License").
9# You may not use this file except in compliance with the License.
10#
11# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
12# or http://www.opensolaris.org/os/licensing.
13# See the License for the specific language governing permissions
14# and limitations under the License.
15#
16# When distributing Covered Code, include this CDDL HEADER in each
17# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
18# If applicable, add the following below this CDDL HEADER, with the
19# fields enclosed by brackets "[]" replaced with your own identifying
20# information: Portions Copyright [yyyy] [name of copyright owner]
21#
22# CDDL HEADER END
23#
24# ident	"%Z%%M%	%I%	%E% SMI"
25#
26# User Level Class Masks
27#
28# Developers: If you change this file you must also edit audit.h.
29#
30# "Meta-classes" can be created; these are supersets composed of multiple base
31# classes, and thus will have more than 1 bit in its mask. See "ad", "all",
32# "am", and "pc" below for examples.
33#
34# The "no" (invalid) class below is commonly (but not exclusively) used in
35# audit_event for obsolete events.
36#
37#
38# File Format:
39#
40#	mask:name:description
41#
420x00000000:no:invalid class
430x00000001:fr:file read
440x00000002:fw:file write
450x00000004:fa:file attribute access
460x00000008:fm:file attribute modify
470x00000010:fc:file create
480x00000020:fd:file delete
490x00000040:cl:file close
500x00000100:nt:network
510x00000200:ip:ipc
520x00000400:na:non-attribute
530x00001000:lo:login or logout
540x00004000:ap:application
550x00010000:ss:change system state
560x00020000:as:system-wide administration
570x00040000:ua:user administration
580x00070000:am:administrative (meta-class)
590x00080000:aa:audit utilization
600x000f0000:ad:old administrative (meta-class)
610x00100000:ps:process start/stop
620x00200000:pm:process modify
630x00300000:pc:process (meta-class)
64#
65# The following four masks define X server related audit classes which
66# are applicable to Trusted Extensions.  X server audit events are mapped
67# to these classes per the following criteria:
68#
69# xp :	Protocols audited for use of privilege (successful or otherwise).
70#	E.g., ChangeWindowAttributes is audited when issued by a client to
71#	change attributes of another client's window.  This class also includes
72#	any administrative protocols (e.g. SetAccessControl).
73# xc :	Server objects creation/destruction; e.g., CreateWindow.
74# xs :	Protocols that do not return X error messages to clients on failure for
75#	lack for security attributes.  E.g., GetImage does not return BadWindow
76#	error if it cannot read from a window for lack of privilege. It just
77#	does not read from that window.
78#	These events should be selected for audit on success only. Selecting
79#	them for failure will cause a lot of noise in the audit trail.
80# xx : All above X classes.
81#
820x00400000:xp:X - privileged/administrative operations
830x00800000:xc:X - object create/destroy
840x01000000:xs:X - operations that always silently fail, if bad
850x01c00000:xx:X - all X events (meta-class)
86#
870x20000000:io:ioctl
880x40000000:ex:exec
890x80000000:ot:other
900xffffffff:all:all classes (meta-class)
91