Security-relevant system actions can be audited. These auditable actions are defined as audit events. Audit events are listed in the /etc/security/audit_event file. Each auditable event is defined in the file by a symbolic name, an event number, a set of preselection classes, and a short description. See the audit_event(4) man page.
There are several categories of audit events. The primary distinction is between kernel-level events and user-level events. Events that are generated by the kernel are called kernel-level events. Events that are generated by applications are called user-level events. Kernel-level events have a lower audit event number than a user-level event, as shown in the following table.
Table 20–2 Audit Event Categories
Number Range |
Type of Event |
|
---|---|---|
1–2047 |
Kernel-level audit events |
|
2048–65535 |
User-level audit events |
|
|
2048–32767 |
Reserved for SunOS user-level programs |
|
32768–65535 |
Events that are generated by the kernel are system calls. System calls have audit event numbers between 1 and 2047. The event names for kernel events begin with AUE_, followed by an uppercase mnemonic for the event. For example, the event number for the creat() system call is 4, and the event name is AUE_CREAT.
Events that are generated by application software are outside the kernel. Application software generates user-level events. User-level events range in number from 2048 to 65535. The event names begin with AUE_, followed by a lowercase mnemonic for the event. For example, the event number for the rlogin command is 6155, and the event name is AUE_rlogin. Table 20–2 shows general categories of user-related events.
Most events are attributable to an individual user, but some events are not. Events are nonattributable if the events occur at the kernel-interrupt level, or if the events occur before a user is identified and authenticated. Nonattributable events are auditable. The following example lists two nonattributable events from the /etc/security/audit_event file:
153:AUE_ENTERPROM:enter prom:na 6156:AUE_mountd_mount:mount:na |
AUE_ENTERPROM is a kernel-level na event. AUE_mountd_mount is a user-level na event.