test

Trusted Solaris Developer's Guide

Audit File Setup

This section shows you how to set up the audit_class, audit_event, and audit_control files. The best way to edit these files is as follows:

  1. Assume the Security administrator role.

  2. Launch the Application Manager.

  3. Double click the System_Admin icon.

  4. Double click the Audit Classes, Audit Events, or Audit Control action.

  5. Edit each file as described in the following sections.

Audit Classes and Audit Events

Create the third-party audit class ec and two audit events, AUE_second_signature and AUE_second_signature_verify. See the audit_class(4) and audit_event(4) man pages for more information on these files.

Audit Control (Process Preselection Mask)

The process preselection mask specifies the audit classes to be audited by the process. To set up the preselection mask to audit for third-party events, edit the /etc/security/audit_control flag parameter as follows to audit events in the example (ec) class for success and failure.

flags:ec

Settings in audit_control(4) are global to all users in the system. To make a setting specific to a user, edit the /etc/security/audit_user file (the Audit Users action) as follows:

zelda:ec

See the audit_control(4) and audit_user(4) man pages for more information on these files and settings. Log out and log back in for the newly defined process preselection mask to take effect. You could also use auditconfig(1M) with the -setpmask option to set the process preselection mask on any existing processes, but it is probably easier to set one of these files and log out and log back in once.