Definitions of Audit Classes (System Administration Guide: Security Services)

System Administration Guide: Security Services

Definitions of Audit Classes

The following table shows each predefined audit class, the descriptive name for each audit class, and a short description.

Table 31–1 Predefined Audit Classes


Audit Class	Descriptive Name	Description
`all`	`all`	All classes (metaclass)
`no`	`no_class`	Null value for turning off event preselection
`na`	`non_attrib`	Nonattributable events
`fr`	`file_read`	Read of data, open for reading
`fw`	`file_write`	Write of data, open for writing
`fa`	`file_attr_acc`	Access of object attributes: `stat`, `pathconf`
`fm`	`file_attr_mod`	Change of object attributes: `chown`, `flock`
`fc`	`file_creation`	Creation of object
`fd`	`file_deletion`	Deletion of object
`cl`	`file_close`	`close` system call
`ap`	`application`	Application-defined event
`ad`	`administrative`	Administrative actions (old administrative metaclass)
`am`	`administrative`	Administrative actions (metaclass)
`ss`	`system state`	Change system state
`as`	`system-wide administration`	System-wide administration
`ua`	`user administration`	User administration
`aa`	`audit administration`	Audit utilization
`ps`	`process start`	Process start and process stop
`pm`	`process modify`	Process modify
`pc`	`process`	Process (metaclass)
`ex`	`exec`	Program execution
`io`	`ioctl`	`ioctl()` system call
`ip`	`ipc`	System V IPC operations
`lo`	`login_logout`	Login and logout events
`nt`	`network`	Network events: `bind`, `connect`, `accept`
`ot`	`other`	Miscellaneous, such as device allocation and `memcntl()`

You can define new classes by modifying the /etc/security/audit_class file. You can also rename existing classes. For more information, see the audit_class(4) man page.