Audit flags indicate classes of events to audit. Machine-wide defaults for auditing are specified for all users on each machine by flags in the audit_control file, which is described in "The audit_control File".
The system administrator can modify what gets audited for individual users by putting audit flags in a user's entry in the audit_user file. The audit flags are also used as arguments to auditconfig (see the auditconfig(1M) man page).
Each predefined audit class is shown in Table 2-2 with the audit flag (which is the short name that stands for the class), the long name, a short description, and a longer definition. The system administrator uses the audit flags in the auditing configuration files to specify which classes of events to audit. Additional classes can be defined and existing classes can be renamed by modifying the audit_class file (see the audit_class(4) man page).
Table 2-2 Audit Classes
Short Name |
Long Name |
Short Description |
---|---|---|
Read of data, open for reading, and so forth |
||
Write of data, open for writing, and so forth |
||
Access of object attributes: stat, pathconf, and so forth |
||
Change of object attributes: chown, flock, and so forth |
||
Creation of object |
||
Deletion of object |
||
Process operations: fork, exec, exit, and so forth |
||
Network events: bind, connect, accept, and so forth |
||
Nonattributable events |
||
Administrative actions |
||
Login and logout events |
||
Application-defined event |
||
Program execution |
||
Miscellaneous |
||
Depending on the prefixes, a class of events can be audited whether it succeeds or fails, or only if it succeeds, or only if it fails. The format of the audit flag is shown here.
prefixflag
Table 2-3 shows prefixes that specify whether the audit class is audited for success or failure or both.
Table 2-3 Prefixes Used in Audit Flags
Prefix |
Definition |
---|---|
none | |
+ |
Audit for success only |
- |
Audit for failure only |
To give an example of how these work together, the audit flag lo means "all successful attempts to log in and log out and all failed attempts to log in." (You cannot fail an attempt to logout.) For another example, the -all flag refers to all failed attempts of any kind, and the +all flag refers to all successful attempts of any kind.
The -all flag can generate large amounts of data and fill up audit file systems quickly, so use it only if you have extraordinary reasons to audit everything.
Use the following prefixes in any of three ways: in the flags line in the audit_control file to modify already-specified flags, in flags in the user's entry in the audit_user file, or with auditconfig (see the auditconfig(1M) man page).
The prefixes in the following table, along with the short names of audit classes, turn on or turn off previously specified audit classes. These prefixes turn on or off previously specified flags only.
Table 2-4 Prefixes Used to Modify Already-Specified Audit Flags
Prefix |
Definition |
---|---|
^- |
Turn off for failed attempts |
^+ | |
^ |
Turn off for both failed and successful attempts |
The ^- prefix is used in the flags line in the following example from an audit_control file.
In the sample screen below, the lo and ad flags specify that all logins and administrative operations are to be audited when they succeed and when they fail. The -all means audit "all failed events." Because the ^- prefix means "turn off auditing for the specified class for failed attempts," the ^-fc flag modifies the previous flag that specified auditing of all failed events; the two fields together mean "audit all failed events, except failed attempts to create file system objects."
flags:lo,ad,-all,^-fc |