This section shows you how to set up the audit_class, audit_event, and audit_control files. The best way to edit these files is as follows:
Assume the Security administrator role.
Launch the Application Manager.
Double click the System_Admin icon.
Double click the Audit Classes, Audit Events, or Audit Control action.
Edit each file as described in the following sections.
Create the third-party audit class ec and two audit events, AUE_second_signature and AUE_second_signature_verify. See the audit_class(4) and audit_event(4) man pages for more information on these files.
Third-party audit classes are added to the /etc/security/audit_class file in the form mask:name:description as follows:
0x00008000:ec:example class
Third-party audit events are added to the /etc/security/audit_event file and assigned one of the numbers reserved for third-party events from 32768 to 65535. This file also contains the audit event to audit class mapping. The following lines add two events and map them to the example (ec) class:
32768:AUE_second_signature:second signature requested:ec
32769:AUE_second_signature_verify:second signature added:ec
The process preselection mask specifies the audit classes to be audited by the process. To set up the preselection mask to audit for third-party events, edit the /etc/security/audit_control flag parameter as follows to audit events in the example (ec) class for success and failure.
flags:ec
Settings in audit_control(4) are global to all users in the system. To make a setting specific to a user, edit the /etc/security/audit_user file (the Audit Users action) as follows:
zelda:ec
See the audit_control(4) and audit_user(4) man pages for more information on these files and settings. Log out and log back in for the newly defined process preselection mask to take effect. You could also use auditconfig(1M) with the -setpmask option to set the process preselection mask on any existing processes, but it is probably easier to set one of these files and log out and log back in once.