The following table shows each predefined audit class. The table shows the audit flag, the long name, and a short description. The audit flag is the short name that stands for the class. You use these audit flags in the auditing configuration files to specify which classes of events to audit. You also use them as arguments to auditing commands, such as auditconfig. You can define new classes by modifying the audit_class file. You can also rename existing classes. See the audit_class(4) man page for more information.
Table 23–1 Predefined Audit Flags
Short Name |
Long Name |
Short Description |
---|---|---|
All classes (meta-class) |
||
Nonattributable events |
||
Read of data, open for reading |
||
Write of data, open for writing |
||
Access of object attributes: stat, pathconf |
||
Change of object attributes: chown, flock |
||
Creation of object |
||
Deletion of object |
||
Application-defined event |
||
Administrative actions (old administrative meta-class) |
||
Administrative actions (meta-class) |
||
Change system state |
||
System-wide administration |
||
User administration |
||
Audit utilization |
||
Process start and process stop |
||
Process modify |
||
Process (meta-class) |
||
Program execution |
||
Login and logout events |
||
Network events: bind, connect, accept |
||
Miscellaneous |