System Administration Guide: Security Services
Previous Next

Audit Classes

System-wide defaults for Solaris auditing are preselected by specifying one or more classes of events. The classes are preselected for each system in the system's audit_control file. Anyone who uses the system is audited for these classes of events. The file is described in audit_control File.

You can configure audit classes and make new audit classes. Audit class names can be up to 8 characters in length. The class description is limited to 72 characters. Numeric and non-alphanumeric characters are allowed.

You can modify what is audited for individual users by adding audit classes to a user's entry in the audit_user database. The audit classes are also used as arguments to the auditconfig command. For details, see the auditconfig(1M) man page.

Definitions of Audit Classes

The following table shows each predefined audit class, the descriptive name for each audit class, and a short description.

Table 31-1 Predefined Audit Classes

Audit Class

Descriptive Name

Description

all

all

All classes (meta-class)

no

no_class

Null value for turning off event preselection

na

non_attrib

Nonattributable events

fr

file_read

Read of data, open for reading

fw

file_write

Write of data, open for writing

fa

file_attr_acc

Access of object attributes: stat, pathconf

fm

file_attr_mod

Change of object attributes: chown, flock

fc

file_creation

Creation of object

fd

file_deletion

Deletion of object

cl

file_close

close system call

ap

application

Application-defined event

ad

administrative

Administrative actions (old administrative meta-class)

am

administrative

Administrative actions (meta-class)

ss

system state

Change system state

as

system-wide administration

System-wide administration

ua

user administration

User administration

aa

audit administration

Audit utilization

ps

process start

Process start and process stop

pm

process modify

Process modify

pc

process

Process (meta-class)

ex

exec

Program execution

io

ioctl

ioctl() system call

ip

ipc

System V IPC operations

lo

login_logout

Login and logout events

nt

network

Network events: bind, connect, accept

ot

other

Miscellaneous, such as device allocation and memcntl()

You can define new classes by modifying the /etc/security/audit_class file. You can also rename existing classes. For more information, see the audit_class(4) man page.

Audit Class Syntax

Events can be audited for success, events can be audited for failure, and events can be audited for both. Without a prefix, a class of events is audited for success and for failure. With a plus (+) prefix, a class of events is audited for success only. With a minus (-) prefix, a class of events is audited for failure only. The following table shows some possible representations of audit classes.

Table 31-2 Plus and Minus Prefixes to Audit Classes

[prefix]class

Explanation

lo

Audit all successful attempts to log in and log out, and all failed attempts to log in. A user cannot fail an attempt to log out.

+lo

Audit all successful attempts to log in and log out.

-all

Audit all failed events.

+all

Audit all successful events.


Caution - The all class can generate large amounts of data and quickly fill audit file systems. Use the all class only if you have extraordinary reasons to audit all activities.


Audit classes that were previously selected can be further modified by a caret prefix, ^. The following table shows how the caret prefix modifies a preselected audit class.

Table 31-3 Caret Prefix That Modifies Already-Specified Audit Classes

^[prefix]class

Explanation

-all,^-fc

Audit all failed events, except do not audit failed attempts to create file objects

am,^+aa

Audit all administrative events for success and for failure, except do not audit successful attempts to administer auditing

am,^ua

Audit all administrative events for success and for failure, except do not audit user administration events

The audit classes and their prefixes can be used in the following files and commands:

  • In the flags line in the audit_control file

  • In the plugin ...p_flags= line in the audit_control file

  • In the user's entry in the audit_user database

  • As arguments to auditconfig command options

See audit_control File for an example of using the prefixes in the audit_control file.

Previous Next