17c478bd9Sstevel@tonic-gate# 2*45916cd2Sjpk# Copyright 2006 Sun Microsystems, Inc. All rights reserved. 37c478bd9Sstevel@tonic-gate# Use is subject to license terms. 47c478bd9Sstevel@tonic-gate# 57c478bd9Sstevel@tonic-gate# CDDL HEADER START 67c478bd9Sstevel@tonic-gate# 77c478bd9Sstevel@tonic-gate# The contents of this file are subject to the terms of the 8*45916cd2Sjpk# Common Development and Distribution License (the "License"). 9*45916cd2Sjpk# You may not use this file except in compliance with the License. 107c478bd9Sstevel@tonic-gate# 117c478bd9Sstevel@tonic-gate# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 127c478bd9Sstevel@tonic-gate# or http://www.opensolaris.org/os/licensing. 137c478bd9Sstevel@tonic-gate# See the License for the specific language governing permissions 147c478bd9Sstevel@tonic-gate# and limitations under the License. 157c478bd9Sstevel@tonic-gate# 167c478bd9Sstevel@tonic-gate# When distributing Covered Code, include this CDDL HEADER in each 177c478bd9Sstevel@tonic-gate# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 187c478bd9Sstevel@tonic-gate# If applicable, add the following below this CDDL HEADER, with the 197c478bd9Sstevel@tonic-gate# fields enclosed by brackets "[]" replaced with your own identifying 207c478bd9Sstevel@tonic-gate# information: Portions Copyright [yyyy] [name of copyright owner] 217c478bd9Sstevel@tonic-gate# 227c478bd9Sstevel@tonic-gate# CDDL HEADER END 237c478bd9Sstevel@tonic-gate# 247c478bd9Sstevel@tonic-gate# ident "%Z%%M% %I% %E% SMI" 257c478bd9Sstevel@tonic-gate# 267c478bd9Sstevel@tonic-gate# User Level Class Masks 277c478bd9Sstevel@tonic-gate# 287c478bd9Sstevel@tonic-gate# Developers: If you change this file you must also edit audit.h. 297c478bd9Sstevel@tonic-gate# 307c478bd9Sstevel@tonic-gate# "Meta-classes" can be created; these are supersets composed of multiple base 317c478bd9Sstevel@tonic-gate# classes, and thus will have more than 1 bit in its mask. See "ad", "all", 327c478bd9Sstevel@tonic-gate# "am", and "pc" below for examples. 337c478bd9Sstevel@tonic-gate# 347c478bd9Sstevel@tonic-gate# The "no" (invalid) class below is commonly (but not exclusively) used in 357c478bd9Sstevel@tonic-gate# audit_event for obsolete events. 367c478bd9Sstevel@tonic-gate# 377c478bd9Sstevel@tonic-gate# 387c478bd9Sstevel@tonic-gate# File Format: 397c478bd9Sstevel@tonic-gate# 407c478bd9Sstevel@tonic-gate# mask:name:description 417c478bd9Sstevel@tonic-gate# 427c478bd9Sstevel@tonic-gate0x00000000:no:invalid class 437c478bd9Sstevel@tonic-gate0x00000001:fr:file read 447c478bd9Sstevel@tonic-gate0x00000002:fw:file write 457c478bd9Sstevel@tonic-gate0x00000004:fa:file attribute access 467c478bd9Sstevel@tonic-gate0x00000008:fm:file attribute modify 477c478bd9Sstevel@tonic-gate0x00000010:fc:file create 487c478bd9Sstevel@tonic-gate0x00000020:fd:file delete 497c478bd9Sstevel@tonic-gate0x00000040:cl:file close 507c478bd9Sstevel@tonic-gate0x00000100:nt:network 517c478bd9Sstevel@tonic-gate0x00000200:ip:ipc 527c478bd9Sstevel@tonic-gate0x00000400:na:non-attribute 537c478bd9Sstevel@tonic-gate0x00001000:lo:login or logout 547c478bd9Sstevel@tonic-gate0x00004000:ap:application 557c478bd9Sstevel@tonic-gate0x00010000:ss:change system state 567c478bd9Sstevel@tonic-gate0x00020000:as:system-wide administration 577c478bd9Sstevel@tonic-gate0x00040000:ua:user administration 587c478bd9Sstevel@tonic-gate0x00070000:am:administrative (meta-class) 597c478bd9Sstevel@tonic-gate0x00080000:aa:audit utilization 607c478bd9Sstevel@tonic-gate0x000f0000:ad:old administrative (meta-class) 617c478bd9Sstevel@tonic-gate0x00100000:ps:process start/stop 627c478bd9Sstevel@tonic-gate0x00200000:pm:process modify 637c478bd9Sstevel@tonic-gate0x00300000:pc:process (meta-class) 64*45916cd2Sjpk# 65*45916cd2Sjpk# The following four masks define X server related audit classes which 66*45916cd2Sjpk# are applicable to Trusted Extensions. X server audit events are mapped 67*45916cd2Sjpk# to these classes per the following criteria: 68*45916cd2Sjpk# 69*45916cd2Sjpk# xp : Protocols audited for use of privilege (successful or otherwise). 70*45916cd2Sjpk# E.g., ChangeWindowAttributes is audited when issued by a client to 71*45916cd2Sjpk# change attributes of another client's window. This class also includes 72*45916cd2Sjpk# any administrative protocols (e.g. SetAccessControl). 73*45916cd2Sjpk# xc : Server objects creation/destruction; e.g., CreateWindow. 74*45916cd2Sjpk# xs : Protocols that do not return X error messages to clients on failure for 75*45916cd2Sjpk# lack for security attributes. E.g., GetImage does not return BadWindow 76*45916cd2Sjpk# error if it cannot read from a window for lack of privilege. It just 77*45916cd2Sjpk# does not read from that window. 78*45916cd2Sjpk# These events should be selected for audit on success only. Selecting 79*45916cd2Sjpk# them for failure will cause a lot of noise in the audit trail. 80*45916cd2Sjpk# xx : All above X classes. 81*45916cd2Sjpk# 82*45916cd2Sjpk0x00400000:xp:X - privileged/administrative operations 83*45916cd2Sjpk0x00800000:xc:X - object create/destroy 84*45916cd2Sjpk0x01000000:xs:X - operations that always silently fail, if bad 85*45916cd2Sjpk0x01c00000:xx:X - all X events (meta-class) 86*45916cd2Sjpk# 877c478bd9Sstevel@tonic-gate0x20000000:io:ioctl 887c478bd9Sstevel@tonic-gate0x40000000:ex:exec 897c478bd9Sstevel@tonic-gate0x80000000:ot:other 907c478bd9Sstevel@tonic-gate0xffffffff:all:all classes (meta-class) 91