|Skip Navigation Links|
|Exit Print View|
|System Administration Guide: Security Services Oracle Solaris 10 8/11 Information Library|
System-wide defaults for Oracle Solaris auditing are preselected by specifying one or more classes of events. The classes are preselected for each system in the system's audit_control file. Anyone who uses the system is audited for these classes of events. The file is described in audit_control File.
You can configure audit classes and make new audit classes. Audit class names can be up to 8 characters in length. The class description is limited to 72 characters. Numeric and non-alphanumeric characters are allowed.
You can modify what is audited for individual users by adding audit classes to a user's entry in the audit_user database. The audit classes are also used as arguments to the auditconfig command. For details, see the auditconfig(1M) man page.
Table 31-1 Predefined Audit Classes
You can define new classes by modifying the /etc/security/audit_class file. You can also rename existing classes. For more information, see the audit_class(4) man page.
Events can be audited for success, events can be audited for failure, and events can be audited for both. Without a prefix, a class of events is audited for success and for failure. With a plus (+) prefix, a class of events is audited for success only. With a minus (-) prefix, a class of events is audited for failure only. The following table shows some possible representations of audit classes.
Table 31-2 Plus and Minus Prefixes to Audit Classes
Table 31-3 Caret Prefix That Modifies Already-Specified Audit Classes
The audit classes and their prefixes can be used in the following files and commands:
In the flags line in the audit_control file
In the plugin:name=audit_syslog.so; p_flags= line in the audit_control file
In the user's entry in the audit_user database
As arguments to auditconfig command options .
See audit_control File for an example of using the prefixes in the audit_control file.