Definitions of Audit Flags (System Administration Guide: Security Services)

System Administration Guide: Security Services

Definitions of Audit Flags

The following table shows each predefined audit class with the audit flag (which is the short name that stands for the class), the long name, and a short description. You use these audit flags in the auditing configuration files to specify which classes of events to audit. You can define new classes and rename existing classes by modifying the audit_class file (see the audit_class(4) man page).

Table 25–2 Audit Flags


Short Name	Long Name	Short Description
`no`	`no_class`	Null value for turning off event preselection
`fr`	`file_read`	Read of data, open for reading
`fw`	`file_write`	Write of data, open for writing
`fa`	`file_attr_acc`	Access of object attributes: `stat`, `pathconf`
`fm`	`file_attr_mod`	Change of object attributes: `chown`, `flock`
`fc`	`file_creation`	Creation of object
`fd`	`file_deletion`	Deletion of object
`cl`	`file_close`	`close` system call
`pc`	`process`	Process operations: `fork`, `exec`, `exit`
`nt`	`network`	Network events: `bind`, `connect`, `accept`
`ip`	`ipc`	System V IPC operations
`na`	`non_attrib`	Nonattributable events
`ad`	`administrative`	Administrative actions
`lo`	`login_logout`	Login and logout events
`ap`	`application`	Application-defined event
`io`	`ioctl`	`ioctl` system call
`ex`	`exec`	Program execution
`ot`	`other`	Miscellaneous
`all`	`all`	All flags set