test

System Administration Guide: Security Services

Audit Classes and Their Audit Flags

Audit flags indicate classes of events to audit. Machine-wide defaults for auditing are specified for all users on each machine by flags in the audit_control file. The file is described in The audit_control File.

You can modify what is audited for individual users by putting audit flags in a user's entry in the audit_user file. The audit flags are also used as arguments to the auditconfig command. See the auditconfig(1M) man page.

Definitions of Audit Flags

The following table shows each predefined audit class. The table shows the audit flag, the long name, and a short description. The audit flag is the short name that stands for the class. You use these audit flags in the auditing configuration files to specify which classes of events to audit. You also use them as arguments to auditing commands, such as auditconfig. You can define new classes by modifying the audit_class file. You can also rename existing classes. See the audit_class(4) man page for more information.

Table 23–1 Predefined Audit Flags

Short Name 

Long Name 

Short Description 

all

all

All classes (meta-class) 

no

no_class

Null value for turning off event preselection

na

non_attrib

Nonattributable events 

fr

file_read

Read of data, open for reading 

fw

file_write

Write of data, open for writing 

fa

file_attr_acc

Access of object attributes: stat, pathconf

fm

file_attr_mod

Change of object attributes: chown, flock

fc

file_creation

Creation of object 

fd

file_deletion

Deletion of object 

cl

file_close

close system call

ap

application

Application-defined event 

ad

administrative

Administrative actions (old administrative meta-class) 

am

administrative

Administrative actions (meta-class) 

ss

system state

Change system state 

as

system-wide administration

System-wide administration 

ua

user administration

User administration 

aa

audit administration

Audit utilization 

ps

process start

Process start and process stop 

pm

process modify

Process modify 

pc

process

Process (meta-class) 

ex

exec

Program execution 

io

ioctl

ioctl system call

ip

ipc

System V IPC operations

lo

login_logout

Login and logout events 

nt

network

Network events: bind, connect, accept

ot

other

Miscellaneous 

Audit Flag Syntax

The prefixes to the audit flags determine whether a class of events is audited for success, or for failure. Without a prefix, a class is audited for success and for failure. The following table shows the format of the audit flag and some possible representations.

Table 23–2 Plus and Minus Prefixes to Audit Flags

prefixflag

Explanation 

lo

Audit all successful attempts to log in and log out, and all failed attempts to log in. You cannot fail an attempt to log out. 

+lo

Audit all successful attempts to log in and log out. 

-all

Audit all failed events. 

+all

Audit all successful events. 

Caution – Caution –

The all flag can generate large amounts of data and fill up audit file systems quickly. Use the all flag only if you have extraordinary reasons to audit all activities.

Prefixes That Modify Audit Flags

Audit flags that were previously selected can be further modified by a caret prefix, ^. The following table shows how the caret prefix modifies a preselected audit flag.

Table 23–3 Caret Prefix That Modifies Already-Specified Audit Flags

^prefixflag

Explanation 

-all,^-fc

Audit all failed events, except do not audit failed attempts to create file system objects

am,^+aa

Audit all administrative events for success and for failure, except do not audit successful attempts to administer auditing

am,^ua

Audit all administrative events for success and for failure, except do not audit user administration events 

The prefixes to the audit flags can be used in the following files and commands:

See The audit_control File for an example of using the prefixes in the audit_control file.