How to Change an Audit Event's Class Membership

Event-class mappings are defined in the /etc/security/audit_event file.

1. Become superuser or assume an equivalent role.

2. (Optional) Save a backup copy of the audit_event file.

   # cp /etc/security/audit_event /etc/security/audit_event.orig

3. Change the class to which particular events belong by changing the flag of the events.

   Each entry has the following format:

   number:event:program:flag

   number

   Defines the audit event ID.

   event

   Defines the name of the audit event.

   program

   Defines the system call or user-level program executable that triggers the creation of an audit record.

   flag

   Defines the two-letter name of the audit class.

4. Make the new data available to the BSM service.

   To use the new data, either reboot the system, or type the following commands:

   # auditconfig -conf # audit -s

Example—Creating a Site-Specific Audit Event Mapping

In this example, you define a new class, and then add events to that class. To use the mapping, put the new class in the audit_control file, then reboot the system.

1. In the audit_class file, define a site-specific class to collect just those audit events that you want to monitor.

   0x00000800:sc:site class

2. In the audit_event file, change a set of audit events to the new class.

   26:AUE_SETGROUPS:setgroups(2):sc 27:AUE_SETPGRP:setpgrp(2):sc 40:AUE_SETREUID:setreuid(2):sc 41:AUE_SETREGID:setregid(2):sc 214:AUE_SETEGID:setegid(2):sc 215:AUE_SETEUID:seteuid(2):sc

3. Use the new flag in the audit_control file. The following entry audits logins, and audits all successful invocations of the events in the sc class.

   flags:lo,+sc

4. To ensure that the new configuration audits all processes, reboot the system. Or, you can use the following set of commands to ensure that each user who uses the machine is correctly audited. auid is the user ID.

   # auditconfig -conf # audit -s # setumask auid lo,+sc