How to Add Audit Events
Audit event definitions are stored in the /etc/security/audit_event file.
-
Become superuser or assume an equivalent role.
-
(Optional) Save a backup copy of the audit_event file.
# cp /etc/security/audit_event /etc/security/audit_event.save
-
Add new entries to the audit_event file.
Each entry has the following format:
number:name:description:classes
- number
-
Defines a unique audit event number, which must start after 32767.
- name
-
Defines the unique audit event name.
- description
-
Describes the audit event. Often includes the name of the man page for the audit event.
- classes
-
Selects the audit classes that include this event.
-
Make the new data available to the auditing daemon.
To use the new data, either reboot the system, or type the following command:
# auditconfig -conf
Example—Adding a New Audit Event
This example shows an entry that defines a new audit event for a local application.
# grep localapp /etc/security/audit_event 32768:AUE_localapp:localapp(1):ta |
- © 2010, Oracle Corporation and/or its affiliates