SunSHIELD Basic Security Module Guide

Definitions of Audit Flags

Each predefined audit class is shown in Table 2-2 with the audit flag (which is the short name that stands for the class), the long name, a short description, and a longer definition. The system administrator uses the audit flags in the auditing configuration files to specify which classes of events to audit. Additional classes can be defined and existing classes can be renamed by modifying the audit_class file (see the audit_class(4) man page).

Table 2-2 Audit Classes


Short Name	Long Name	Short Description
`no`	`no_class`	Null value for turning off event preselection
`fr`	`file_read`	Read of data, open for reading, and so forth
`fw`	`file_write`	Write of data, open for writing, and so forth
`fa`	`file_attr_acc`	Access of object attributes: `stat`, `pathconf`, and so forth
`fm`	`file_attr_mod`	Change of object attributes: `chown`, `flock`, and so forth
`fc`	`file_creation`	Creation of object
`fd`	`file_deletion`	Deletion of object
`cl`	`file_close`	`close` system call
`pc`	`process`	Process operations: `fork`, `exec`, `exit`, and so forth
`nt`	`network`	Network events: `bind`, `connect`, `accept`, and so forth
`ip`	`ipc`	System V IPC operations
`na`	`non_attrib`	Nonattributable events
`ad`	`administrative`	Administrative actions
`lo`	`login_logout`	Login and logout events
`ap`	`application`	Application-defined event
`io`	`ioctl`	`ioctl` system call
`ex`	`exec`	Program execution
`ot`	`other`	Miscellaneous
`all`	`all`	All flags set