Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Apropos / Subsearch:
optional field

audit_class(4)                   File Formats                   audit_class(4)

       audit_class - audit class definitions


       /etc/security/audit_class is a user-configurable ASCII system file that
       stores class definitions used in the  audit  system.  Audit  events  in
       audit_event(4)  are mapped to one or more of the defined audit classes.
       audit_event can be updated in conjunction with changes to  audit_class.
       See  audit_control(4)  and audit_user(4) for information about changing
       the preselection of audit classes in the audit system. Programs can use
       the getauclassent(3BSM) routines to access audit class information.

       The  fields  for  each  class entry are separated by colons. Each class
       entry is a bitmap and is separated from each other by a newline.

       Each entry in the audit_class file has the form:


       The fields are defined as follows:

       mask            class mask

       name            class name

       description     class description

       Each class is represented as a bit  in  the  class  mask  which  is  an
       unsigned integer. Thus, there are 32 different classes available. Meta-
       classes can also be defined. These are supersets composed  of  multiple
       base classes, and thus will have more than 1 bit in its mask. See EXAM-
       PLES.  Two special meta-classes are also pre-defined: all, and no.

       all      Represents a conjunction of all allowed classes, and  is  pro-
                vided as a shorthand method of specifying all classes.

       no       Is  the  invalid  class,  and  any event mapped solely to this
                class will not be audited. Turning auditing on to the all meta
                class  will  not cause events mapped solely to the no class to
                be written to the audit trail. This class is also used to  map
                obsolete events which are no longer generated. Obsolete events
                are retained to process old audit trails files.

       Example 1: Using an audit_class File

       The following is an example of an audit_class file:

       0x00000000:no:invalid class
       0x00000001:fr:file read
       0x00000002:fw:file write
       0x00000004:fa:file attribute access
       0x00000008:fm:file attribute modify
       0x00000010:fc:file create
       0x00000020:fd:file delete
       0x00000040:cl:file close
       0x00001000:lo:login or logout
       0x000f0000:ad:old administrative (meta-class)
       0x00070000:am:administrative (meta-class)
       0x00010000:ss:change system state
       0x00020000:as:system-wide administration
       0x00040000:ua:user administration
       0x00080000:aa:audit utilization
       0x00300000:pc:process (meta-class)
       0x00100000:ps:process start/stop
       0x00200000:pm:process modify
       0xffffffff:all:all classes (meta-class)


       See attributes(5) for descriptions of the following attributes:

       tab()    allbox;    cw(2.750000i)|     cw(2.750000i)     lw(2.750000i)|
       lw(2.750000i).   ATTRIBUTE TYPEATTRIBUTE VALUE Interface Stability  See

       The file format stability is evolving. The file content is unstable.

       bsmconv(1M), au_preselect(3BSM), getauclassent(3BSM), audit_control(4),
       audit_event(4), audit_user(4), attributes(5)

       It  is  possible to deliberately turn on the no class in the kernel, in
       which case the audit trail will be flooded with records for  the  audit
       event AUE_NULL.

       This functionality is available only if the Basic Security Module (BSM)
       has been enabled. See bsmconv(1M) for more information.

SunOS 5.10                        6 Jan 2003                    audit_class(4)