Audit Events

Security-relevant system actions can be audited. These auditable actions are defined as audit events. Audit events are listed in the /etc/security/audit_event file. Each auditable event is defined in the file by a symbolic name, an event number, a set of preselection classes, and a short description (see the audit_event(4) man page).

There are several categories of audit events. The primary distinction is between events that are generated by the kernel (called kernel-level events), and events that are generated by applications (called user-level events). Whether the event is generated by the kernel or by a user-level application determines the number range of the event number that identifies the event.

Kernel-Level Audit Events

Events that are generated by the kernel (system calls) have event numbers between 1 and 2047. The event names for kernel events begin with AUE_, followed by an uppercase mnemonic for the event. For example, the event number for the creat() system call is 4, and the event name is AUE_CREAT.

User-Level Audit Events

Events that are generated by application software (outside the kernel) range from 2048 to 65535. The event names begin with AUE_, followed by a lowercase mnemonic for the event. For example, the event number for the rlogin command is 6155, and the event name is AUE_rlogin. Table 22–2 shows general categories of user-related events.

Nonattributable Audit Events

Most events are attributable to an individual user, but not all. These events are known as nonattributable events. Events are nonattributable if they occur at the kernel-interrupt level or before a user is identified and authenticated. Nonattributable events are auditable as well. AUE_ENTERPROM (kernel-level event number 153), and AUE_mountd_mount (user-level event number 6156), are examples of nonattributable events. Check the /etc/security/audit_event file for the exact numbers of individual events.