System Administration Guide: Security Services

Definitions of Audit Flags

The following table shows each predefined audit class. The table shows the audit flag, the long name, and a short description. The audit flag is the short name that stands for the class. You use these audit flags in the auditing configuration files to specify which classes of events to audit. You also use them as arguments to auditing commands, such as auditconfig. You can define new classes by modifying the audit_class file. You can also rename existing classes. See the audit_class(4) man page for more information.

Table 23–1 Predefined Audit Flags

Short Name 

Long Name 

Short Description 

all

all

All classes (meta-class) 

no

no_class

Null value for turning off event preselection

na

non_attrib

Nonattributable events 

fr

file_read

Read of data, open for reading 

fw

file_write

Write of data, open for writing 

fa

file_attr_acc

Access of object attributes: stat, pathconf

fm

file_attr_mod

Change of object attributes: chown, flock

fc

file_creation

Creation of object 

fd

file_deletion

Deletion of object 

cl

file_close

close system call

ap

application

Application-defined event 

ad

administrative

Administrative actions (old administrative meta-class) 

am

administrative

Administrative actions (meta-class) 

ss

system state

Change system state 

as

system-wide administration

System-wide administration 

ua

user administration

User administration 

aa

audit administration

Audit utilization 

ps

process start

Process start and process stop 

pm

process modify

Process modify 

pc

process

Process (meta-class) 

ex

exec

Program execution 

io

ioctl

ioctl system call

ip

ipc

System V IPC operations

lo

login_logout

Login and logout events 

nt

network

Network events: bind, connect, accept

ot

other

Miscellaneous