Audit Classes
You need to decide which events you want to audit. You can capture user actions or non-attributable events (that is, events such as interrupts which cannot be attributed to specific users). For the user actions, you can separate successful and failed transactions. Auditing events are organized into classes in the Trusted Solaris environment. The auditing classes for files fall into these general areas:
-
Open for reading
-
Open for writing
-
Attribute changes
-
Creations
-
Deletions
You can also create your own classes and events as needed and can rearrange the mapping of classes to events. Other classes keep track of such items as process operations, network events, window operations, IPC operations, administrative actions, logins, logouts, application-defined events, ioctl system calls, program executions, Xserver operations, and miscellaneous events. Because auditing information can take up a lot of disk space, you need to decide carefully which events to audit and select only the classes that contain events necessary for your site's security policy.
- © 2010, Oracle Corporation and/or its affiliates