unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Page:
Section:
Apropos / Subsearch:
optional field

audit_event(4)                   File Formats                   audit_event(4)



NAME
       audit_event - audit event definition and class mapping

SYNOPSIS
       /etc/security/audit_event

DESCRIPTION
       /etc/security/audit_event is a user-configurable ASCII system file that
       stores event definitions used in the audit system. As part of this def-
       inition,  each  event  is  mapped  to  one or more of the audit classes
       defined in audit_class(4). See audit_control(4) and  audit_user(4)  for
       information  about  changing  the  preselection of audit classes in the
       audit system. Programs can use the getauevent(3BSM) routines to  access
       audit event information.

       The  fields for each event entry are separated by colons. Each event is
       separated from the next by a <&lt;NEWLINE>&gt;.Each entry  in  the  audit_event
       file has the form:

       number:name:description:flags


       The fields are defined as follows:

       number          Event number.

                       Event number ranges are assigned as follows:


                       0               Reserved as an invalid event number.




                       1-2047          Reserved for the Solaris Kernel events.



                       2048-32767      Reserved for the Solaris TCB programs.



                       32768-65535     Available  for third party TCB applica-
                                       tions.

                                       System  administrators  must  not  add,
                                       delete, or modify (except to change the
                                       class mapping), events  with  an  event
                                       number  less  than  32768. These events
                                       are reserved by the system.



       name            Event name.



       description     Event description.



       flags           Flags specifying classes to which the event is  mapped.
                       Classes are comma separated, without spaces.

                       Obsolete  events  are  commonly assigned to the special
                       class no (invalid) to indicate they are no longer  gen-
                       erated.  Obsolete  events  are  retained to process old
                       audit trail files. Other events which are not  obsolete
                       may also be assigned to the no class.



EXAMPLES
       Example 1: Using the audit_event File

       The following is an example of some audit_event file entries:

       7:AUE_EXEC:exec(2):ps,ex
       79:AUE_OPEN_WTC:open(2) - write,creat,trunc:fc,fd,fw
       6152:AUE_login:login - local:lo
       6153:AUE_logout:logout:lo
       6154:AUE_telnet:login - telnet:lo
       6155:AUE_rlogin:login - rlogin:lo

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:


       tab()     allbox;     cw(2.750000i)|    cw(2.750000i)    lw(2.750000i)|
       lw(2.750000i).  ATTRIBUTE TYPEATTRIBUTE VALUE Interface Stability   See
       below


       The file format stability is evolving. The file content is unstable.

FILES
       /etc/security/audit_event



SEE ALSO
       bsmconv(1M),    getauevent(3BSM),   audit_class(4),   audit_control(4),
       audit_user(4)

NOTES
       This functionality is available only if the Basic Security Module (BSM)
       has been enabled. See bsmconv(1M) for more information.



SunOS 5.10                        6 Jan 2003                    audit_event(4)