AUDIT_EVENT(5) File Formats and Configurations AUDIT_EVENT(5)
NAME
audit_event - audit event definition and class mapping
SYNOPSIS
/etc/security/audit_eventDESCRIPTION
/etc/security/audit_event is a user-configurable ASCII system file that
stores event definitions used in the audit system. As part of this
definition, each event is mapped to one or more of the audit classes
defined in
audit_class(5). Programs can use the
getauevent(3BSM) routines to access audit event information.
The fields for each event entry are separated by colons. Each event is
separated from the next by a NEWLINE.Each entry in the audit_event file
has the form:
number:
name:
description:
flags The fields are defined as follows:
number Event number.
Event number ranges are assigned as follows:
0 Reserved as an invalid event number.
1-2047 Reserved for the Solaris Kernel events.
2048-32767 Reserved for the Solaris TCB programs.
32768-65535 Available for third party TCB applications.
System administrators must
not add, delete,
or modify (except to change the class
mapping), events with an event number less
than
32768. These events are reserved by
the system.
name Event name.
description Event description.
flags Flags specifying classes to which the event is mapped.
Classes are comma separated, without spaces.
Obsolete events are commonly assigned to the special class
no (invalid) to indicate they are no longer generated.
Obsolete events are retained to process old audit trail
files. Other events which are not obsolete may also be
assigned to the
no class.
EXAMPLES
Example 1: Using the audit_event File
The following is an example of some
audit_event file entries:
7:AUE_EXEC:
exec(2):ps,ex
79:AUE_OPEN_WTC:
open(2) - write,creat,trunc:fc,fd,fw
6152:AUE_login:login - local:lo
6153:AUE_logout:logout:lo
6154:AUE_telnet:login - telnet:lo
6155:AUE_rlogin:login - rlogin:lo
ATTRIBUTES
See
attributes(7) for descriptions of the following attributes:
+---------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+---------------------+-----------------+
|Interface Stability | See below. |
+---------------------+-----------------+
The file format stability is Committed. The file content is Uncommitted.
FILES
/etc/security/audit_eventSEE ALSO
getauevent(3BSM),
audit_class(5) March 6, 2017
AUDIT_EVENT(5)