Changing Class Definitions
The file /etc/security/audit_class stores class definitions. Site-specific definitions can be added and default definitions can be changed. Each entry in the file has the form:
mask:name:description
Each class is represented as a bit in the mask, which is an unsigned integer, giving 32 different available classes plus two meta-classes of all and no; all is a conjunction of all allowed classes; no is the invalid class. Events mapped to this class are not audited. Events mapped solely to the no class are not audited, even if the all class is turned on. Below is a sample audit_class file:
0x00000000:no:invalid class 0x00000001:fr:file read 0x00000002:fw:file write 0x00000004:fa:file attribute access 0x00000008:fm:file attribute modify 0x00000010:fc:file create 0x00000020:fd:file delete 0x00000040:cl:file close 0xffffffffff:all:all classes |
If the no class is turned on in the system kernel,
the audit trail is flooded with records for the audit event AUE_NULL.
- © 2010, Oracle Corporation and/or its affiliates