Security-relevant system actions can be audited. These auditable actions are defined as audit events. Audit events are listed in the /etc/security/audit_event file. Each auditable event is defined in the file by a symbolic name, an event number, a set of preselection classes, and a short description (see the audit_event(4) man page).
There are several categories of audit events. The primary distinction is between events that are generated by the kernel (called kernel-level events), and events that are generated by applications (called user-level events). Whether the event is generated by the kernel or by a user-level application determines the number range of the event number that identifies the event.
Table 22–2 Audit Event Categories
Number Range |
Type of Event |
|
---|---|---|
1–2047 |
Kernel-level audit events |
|
2048–65535 |
User-level audit events |
|
|
2048–32767 |
Reserved for SunOS user-level programs |
|
32768–65535 |
Events that are generated by the kernel (system calls) have event numbers between 1 and 2047. The event names for kernel events begin with AUE_, followed by an uppercase mnemonic for the event. For example, the event number for the creat() system call is 4, and the event name is AUE_CREAT.
Events that are generated by application software (outside the kernel) range from 2048 to 65535. The event names begin with AUE_, followed by a lowercase mnemonic for the event. For example, the event number for the rlogin command is 6155, and the event name is AUE_rlogin. Table 22–2 shows general categories of user-related events.
Most events are attributable to an individual user, but not all. These events are known as nonattributable events. Events are nonattributable if they occur at the kernel-interrupt level or before a user is identified and authenticated. Nonattributable events are auditable as well. AUE_ENTERPROM (kernel-level event number 153), and AUE_mountd_mount (user-level event number 6156), are examples of nonattributable events. Check the /etc/security/audit_event file for the exact numbers of individual events.