unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.9)
Page:
Section:
Apropos / Subsearch:
optional field



File Formats                                       audit_class(4)



NAME
     audit_class - audit class definitions

SYNOPSIS
     /etc/security/audit_class

DESCRIPTION
     /etc/security/audit_class is a user-configurable ASCII  sys-
     tem  file  that  stores  class definitions used in the audit
     system. Audit events in audit_event(4) are mapped to one  or
     more  of  the  defined  audit  classes.  audit_event  can be
     updated in conjunction  with  changes  to  audit_class.  See
     audit_control(4)  and  audit_user(4)  for  information about
     changing the preselection of audit classes in the audit sys-
     tem.  Programs  can  use the getauclassent(3BSM) routines to
     access audit class information.

     The fields for each class entry  are  separated  by  colons.
     Each  class  entry  is  a  bitmap and is separated from each
     other by a newline.

     Each entry in the audit_class file has the form:

     mask:name:description

     The fields are defined as follows:

     mask  class mask

     name  class name

     description
           class description

     Each class is represented as a bit in the class  mask  which
     is an unsigned integer. Thus, there are 32 different classes
     available. Meta-classes  can  also  be  defined.  These  are
     supersets  composed  of multiple base classes, and thus will
     have more than 1 bit in its mask. See EXAMPLES.  Two special
     meta-classes are also pre-defined: all, and no.

     all   Represents a conjunction of all allowed  classes,  and
           is  provided  as  a shorthand method of specifying all
           classes.

     no    Is the invalid class, and any event mapped  solely  to
           this class will not be audited. Turning auditing on to
           the all meta class will not cause events mapped solely
           to the no class to be written to the audit trail. This
           class is also used to map obsolete events which are no
           longer generated. Obsolete events are retained to pro-
           cess old audit trails files.



SunOS 5.9            Last change: 6 Jan 2003                    1






File Formats                                       audit_class(4)



EXAMPLES
     Example 1: Using an audit_class File

     The following is an example of an audit_class file:

     0x00000000:no:invalid class
     0x00000001:fr:file read
     0x00000002:fw:file write
     0x00000004:fa:file attribute access
     0x00000008:fm:file attribute modify
     0x00000010:fc:file create
     0x00000020:fd:file delete
     0x00000040:cl:file close
     0x00000100:nt:network
     0x00000200:ip:ipc
     0x00000400:na:non-attribute
     0x00001000:lo:login or logout
     0x00004000:ap:application
     0x000f0000:ad:old administrative (meta-class)
     0x00070000:am:administrative (meta-class)
     0x00010000:ss:change system state
     0x00020000:as:system-wide administration
     0x00040000:ua:user administration
     0x00080000:aa:audit utilization
     0x00300000:pc:process (meta-class)
     0x00100000:ps:process start/stop
     0x00200000:pm:process modify
     0x20000000:io:ioctl
     0x40000000:ex:exec
     0x80000000:ot:other
     0xffffffff:all:all classes (meta-class)

FILES
     /etc/security/audit_class


ATTRIBUTES
     See attributes(5) for descriptions of the  following  attri-
     butes:

     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | Interface Stability         |  See below                  |
    |_____________________________|_____________________________|


     The file format stability is evolving. The file  content  is
     unstable.

SEE ALSO




SunOS 5.9            Last change: 6 Jan 2003                    2






File Formats                                       audit_class(4)



     bsmconv(1M),    au_preselect(3BSM),     getauclassent(3BSM),
     audit_control(4),   audit_event(4),   audit_user(4),  attri-
     butes(5)

NOTES
     It is possible to deliberately turn on the no class  in  the
     kernel,  in  which case the audit trail will be flooded with
     records for the audit event AUE_NULL.

     This functionality is available only if the  Basic  Security
     Module  (BSM)  has  been  enabled.  See bsmconv(1M) for more
     information.











































SunOS 5.9            Last change: 6 Jan 2003                    3