Trusted Extensions adds X windows audit classes to Oracle Solaris. The classes are listed in the /etc/security/audit_class file. For more information about audit classes, see the audit_class(4) man page.
The X server audit events are mapped to these classes according to the following criteria:
xa – This class audits access to the X server, that is, X client connection and X client disconnection.
xc – This class audits server objects for creation or for destruction. For example, this class audits CreateWindow().
xp – This class audits for use of privilege. Privilege use can be successful or unsuccessful. For example, ChangeWindowAttributes() is audited when a client attempts to change the attributes of another client's window. This class also includes administrative routines such as SetAccessControl().
xs – This class audits routines that do not return X error messages to clients on failure when security attributes cause the failure. For example, GetImage() does not return a BadWindow error if it cannot read from a window for lack of privilege.
These events should be selected for audit on success only. When xs events are selected for failure, the audit trail fills with irrelevant records.
xx – This class includes all of the X audit classes.