Audit flags indicate classes of events to audit. Machine-wide defaults for auditing are specified for all users on each machine by flags in the audit_control file. The file is described in The audit_control File.
You can modify what is audited for individual users by putting audit flags in a user's entry in the audit_user file. The audit flags are also used as arguments to the auditconfig command. See the auditconfig(1M) man page.
The following table shows each predefined audit class. The table shows the audit flag, the long name, and a short description. The audit flag is the short name that stands for the class. You use these audit flags in the auditing configuration files to specify which classes of events to audit. You also use them as arguments to auditing commands, such as auditconfig. You can define new classes by modifying the audit_class file. You can also rename existing classes. See the audit_class(4) man page for more information.
Table 23–1 Predefined Audit Flags
Short Name |
Long Name |
Short Description |
---|---|---|
All classes (meta-class) |
||
Nonattributable events |
||
Read of data, open for reading |
||
Write of data, open for writing |
||
Access of object attributes: stat, pathconf |
||
Change of object attributes: chown, flock |
||
Creation of object |
||
Deletion of object |
||
Application-defined event |
||
Administrative actions (old administrative meta-class) |
||
Administrative actions (meta-class) |
||
Change system state |
||
System-wide administration |
||
User administration |
||
Audit utilization |
||
Process start and process stop |
||
Process modify |
||
Process (meta-class) |
||
Program execution |
||
Login and logout events |
||
Network events: bind, connect, accept |
||
Miscellaneous |
The prefixes to the audit flags determine whether a class of events is audited for success, or for failure. Without a prefix, a class is audited for success and for failure. The following table shows the format of the audit flag and some possible representations.
Table 23–2 Plus and Minus Prefixes to Audit Flags
prefixflag |
Explanation |
---|---|
lo |
Audit all successful attempts to log in and log out, and all failed attempts to log in. You cannot fail an attempt to log out. |
+lo |
Audit all successful attempts to log in and log out. |
-all |
Audit all failed events. |
+all |
Audit all successful events. |
The all flag can generate large amounts of data and fill up audit file systems quickly. Use the all flag only if you have extraordinary reasons to audit all activities.
Audit flags that were previously selected can be further modified by a caret prefix, ^. The following table shows how the caret prefix modifies a preselected audit flag.
Table 23–3 Caret Prefix That Modifies Already-Specified Audit Flags
The prefixes to the audit flags can be used in the following files and commands:
In the flags line in the audit_control file
In flags field in the user's entry in the audit_user file
With arguments to the auditconfig command
See The audit_control File for an example of using the prefixes in the audit_control file.