Trusted Solaris Audit Administration

To Add Audit Events

  1. As role secadmin, at label admin_low, add audit events in the audit_event(4) file.

    1. Open the System_Admin folder from the Application Manager.

    2. Double-click the Audit Events action.

  2. Add the events you planned in Planning a Site-Specific Event-to-Class Mapping, write the file, and exit the editor.

    For events in more than one class, use a comma (no space) to delimit the classes.


    Note –

    Third-party applications can use the event numbers 32768 through 65536 only. See for more information about event number assignment.


  3. Make any changes to audit_control(4) and audit_user(4) to audit the events in the new classes.

    See To Set Audit Flags and To Set User Exceptions to the Audit Flags for details of the procedures.


    Note –

    On a distributed system, the audit_class, audit_event, audit_startup, and audit_user files must be identical on every host on the network. See To Distribute Audit Configuration Files for a process to distribute master copies of files to all hosts on the network.


  4. Reboot, or as secadmin in an admin_low profile shell, run the auditconfig(1M) command with appropriate options.

    In the following example, the audit session ID is 159, and the new events are in the classes gr (for graphic applications) and db (for databases applications).


    $ auditconfig -setsmask 159 gr,db