Definitions of Audit Flags (System Administration Guide: Security Services)

System Administration Guide: Security Services

Definitions of Audit Flags

The following table shows each predefined audit class. The table shows the audit flag, the long name, and a short description. The audit flag is the short name that stands for the class. You use these audit flags in the auditing configuration files to specify which classes of events to audit. You also use them as arguments to auditing commands, such as auditconfig. You can define new classes by modifying the audit_class file. You can also rename existing classes. See the audit_class(4) man page for more information.

Table 23–1 Predefined Audit Flags


Short Name	Long Name	Short Description
`all`	`all`	All classes (meta-class)
`no`	`no_class`	Null value for turning off event preselection
`na`	`non_attrib`	Nonattributable events
`fr`	`file_read`	Read of data, open for reading
`fw`	`file_write`	Write of data, open for writing
`fa`	`file_attr_acc`	Access of object attributes: `stat`, `pathconf`
`fm`	`file_attr_mod`	Change of object attributes: `chown`, `flock`
`fc`	`file_creation`	Creation of object
`fd`	`file_deletion`	Deletion of object
`cl`	`file_close`	`close` system call
`ap`	`application`	Application-defined event
`ad`	`administrative`	Administrative actions (old administrative meta-class)
`am`	`administrative`	Administrative actions (meta-class)
`ss`	`system state`	Change system state
`as`	`system-wide administration`	System-wide administration
`ua`	`user administration`	User administration
`aa`	`audit administration`	Audit utilization
`ps`	`process start`	Process start and process stop
`pm`	`process modify`	Process modify
`pc`	`process`	Process (meta-class)
`ex`	`exec`	Program execution
`io`	`ioctl`	`ioctl` system call
`ip`	`ipc`	System V IPC operations
`lo`	`login_logout`	Login and logout events
`nt`	`network`	Network events: `bind`, `connect`, `accept`
`ot`	`other`	Miscellaneous