Security-relevant actions may be audited. The system actions that are auditable are defined as audit events in the /etc/security/audit_event file. Each auditable event is defined in the file by a symbolic name, an event number, a set of preselection classes, and a short description (see the audit_event(4) man page).
Most events are attributable to an individual user. However, some events are nonattributable because they occur at the kernel-interrupt level or before a user is identified and authenticated. Nonattributable events are auditable as well.
Each audit event is also defined as belonging to an audit class or classes. Administrators name an audit class (called an audit flag) when specifying for the audit daemon what is to be audited. When naming a class, one simultaneously addresses all of the events in that class. The mapping of audit events to classes is configurable and the classes themselves are configurable. These configuration changes are made in the audit_event file. New classes are added to the audit_class file.
Whether an auditable event is recorded in the audit trail depends on whether the administrator preselects an audit class that includes the specific event.
The file /etc/security/audit_class stores class definitions. Site-specific definitions can be added and default definitions can be changed. Each entry in the file has the form:
mask:name:description
Each class is represented as a bit in the mask, which is an unsigned integer, giving 32 different available classes plus two global classes, all and no. all is a conjunction of all allowed classes. no is the invalid class. Events mapped to the no class are not audited. Events mapped solely to the no class are not audited even if the all class is turned on. Below is a sample audit_class file:
0x00000000:no:invalid class 0x00000001:fr:file read 0x00000002:fw:file write 0x00000004:fa:file attribute access 0x00000008:fm:file attribute modify 0x00000010:fc:file create 0x00000020:fd:file delete 0x00000040:cl:file close 0x00000100:nt:network 0x00000200:ip:ipc 0x00000400:na:non-attribute 0x00001000:lo:login or logout 0x00002000:ax:x server 0x00004000:ap:application 0x000f0000:ad:administrative 0x00010000:ss:change system state 0x00020000:as:system-wide administration 0x00040000:aa:audit administration 0x00080000:ao:other administration 0x00300000:pc:process 0x00100000:ps:process start/stop 0x00200000:pm:process modify 0x20000000:io:ioctl 0x40000000:fn:fcntl 0x80000000:ot:other 0xffffffff:all:all classes
If the no class is actually turned on for auditing, the audit trail fills up with records for the audit event AUE_NULL.
Events generated by the kernel (system calls) have event numbers between 1 and 2047. The event names for kernel events begin with AUE_, followed by an uppercase mnemonic for the event. For example, the event number for the creat() system call is 4 and the event name is AUE_CREAT.
Within kernel events there is one pseudo-event defined, AUE_UPRIV, which audits use-of-privilege decisions.
When the AUE_UPRIV pseudo-event is preselected, audit information is collected internally even if the underlying kernel event is not selected. For example, if the kernel event AUE_OPEN_R is not selected for auditing but the pseudo-event AUE_UPRIV is enabled, the kernel event AUE_OPEN_R will be written to the audit trail if a use-of-privilege decision was part of the AUE_OPEN_R system call.
Events generated by trusted application software outside the kernel range from 2048 to 65535. The event names begin with AUE_, followed by a lowercase mnemonic for the event. The file /etc/security/audit_event lists individual events in numerical order. For a listing of events by class, see Appendix A, Event-to-Class Mappings. The following table shows general categories of user-related events.
Table 1–1 Audit Event Categories
Number Range |
Type of Event |
---|---|
2048–65535 |
User-level audit events |
2048–32767 |
Reserved for Solaris and Trusted Solaris user-level programs |
32768–65536 |
Available for third-party applications |
Events that are not attributable to a user, such as AUE_ENTERPROM.