Optional: Skip this section if you are using the default event-to-class mappings provided by Trusted Solaris. Do not skip this section if you have decided to rearrange what events are assigned to what classes, or to create new classes or new events.
Trusted Solaris allows 32 audit classes, including the class all. Your site may add classes until the total number is 32.
The security administrator plans site-specific mappings. To plan site-specific mappings:
Decide what classes are needed.
Decide what events belong in what classes.
Decide what events should be copied to another class or classes.
An audit event can belong to more than one class. For example, the audit event AUE_RENAME belongs to the classes file create and file delete in the default event-to-class mapping.
Decide what events should be moved to another class or classes.
Decide what events should be added to a class or classes.
For each class, decide whether to audit it for success, for failure, or for both.
When new software programs include audit events not provided by Trusted Solaris 2.5.1 software, add the events to existing classes or create a new classes for the new events.
The following are factors to consider when changing the contents of default audit classes and creating new ones in the Trusted Solaris environment.
This document, Trusted Solaris Audit Administration, reports the default auditing configuration.
Document your site's modifications to the auditing defaults, and make the document available to the administrators handling audit administration.
If you are networked, you must change the auditing configuration files on all the workstations when you change the files on one workstation.
A network of Trusted Solaris workstations behaves like one workstation. When auditing is enabled, it is enabled on every workstation, and every workstation is audited for the same classes, has the same defaults, has the same user exceptions, and has the same event-to-class mappings as every other Trusted Solaris workstation in the network.