The audit classes that Trusted Extensions software adds to the Solaris OS are listed alphabetically in the following table. The classes are listed in the /etc/security/audit_class file. For more information about audit classes, see the audit_class(4) man page.
Table 24–1 X Server Audit Classes
Short Name |
Long Name |
Audit Mask |
---|---|---|
xc |
X - Object create/destroy | |
xp |
X - Privileged/administrative operations | |
xs |
X - Operations that always silently fail, if bad | |
xx |
X - All X events in the xl, xc, xp, and xs classes (metaclass) |
The X server audit events are mapped to these classes according to the following criteria:
xc – This class audits server objects for creation or for destruction. For example, this class audits CreateWindow().
xp – This class audits for use of privilege. Privilege use can be successful or unsuccessful. For example, ChangeWindowAttributes() is audited when a client attempts to change the attributes of another client's window. This class also includes administrative routines such as SetAccessControl().
xs – This class audits routines that do not return X error messages to clients on failure when security attributes cause the failure. For example, GetImage() does not return a BadWindow error if it cannot read from a window for lack of privilege.
These events should be selected for audit on success only. When xs events are selected for failure, the audit trail fills with irrelevant records.
xx – This class includes all of the X audit classes.