Third-Party User Activities

Third-party applications audit user activities by creating third-party audit events and audit classes specific to the application and generating audit records with those events using the auditwrite(3TSOL) routine.

• Third-party audit event - An event created and added to the /etc/security/audit_event file. The audit_event(4) man page describes how this file stores event definitions in the numbers 32768 to 65535 and specifies audit event to audit class mappings.

• Third-party audit class - A logical grouping of audit events defined in the /etc/security/audit_class file (audit_class(4)), and used for preselection and postselection (see audit_control(4) man page).

The application programmer defines the third-party audit events and classes used in third-party applications, and the system administrator at the site using the application sets up the above-referenced files to recognize the new events and classes.

Within the application, audit events are generated and logged to the audit trail in records. Audit records contain tokens that provide the audit event and other relevant information such as the process ID of the process that generated the event, the machine on which the event occurred, and the date and time. The audit trail is the place where audit records generated by the kernel, system applications, and third-party applications are stored in files. The following figure presents these elements and their relationships.

Figure 8-1 Audit Trail, Files, Records, and Tokens

It is up to you to decide exactly what information is logged to the audit record by deciding which tokens are passed to the auditwrite(3TSOL) routine. Audit records should be generated in third-party applications in the highest possible interface layer where the most precise information is available, and there is more opportunity to limit the generation of less useful audit records.