Audit Classes

Oracle Solaris defines audit classes as convenient containers for large numbers of audit events

You can reconfigure audit classes and make new audit classes. Audit class names can be up to 8 characters in length. The class description is limited to 72 characters. Numeric and non-alphanumeric characters are allowed.

For details, see the audit_class(4) man page.

Definitions of Audit Classes

The following table shows each predefined audit class, the descriptive name for each audit class, and a short description.

Table 31-1 Predefined Audit Classes

Audit Flag	Descriptive Name	Description
`aa`	`audit utilization`	Audit utilization
`ad`	`old administrative`	Administrative actions (old administrative metaclass)
`all`	`all`	All classes (metaclass)
`am`	`administrative`	Administrative actions (metaclass)
`ap`	`application`	Application-defined event
`as`	`system-wide administration`	System-wide administration
`cl`	`file close`	`close` system call
`cy`	`cryptographic`	Cryptographic operations
`ex`	`exec`	Program execution
`fa`	`file attribute access`	Access of object attributes: `stat`, `pathconf`
`fc`	`file create`	Creation of object
`fd`	`file delete`	Deletion of object
`fm`	`file attribute modify`	Change of object attributes: `chown`, `flock`
`fr`	`file read`	Read of data, open for reading
`ft`	`sftp`	SFTP transactions
`fw`	`file write`	Write of data, open for writing
`io`	`ioctl`	`ioctl()` system call
`ip`	`ipc`	System V IPC operations
`lo`	`login or logout`	Login and logout events
`na`	`non_attribute`	Non-attributable events
`no`	`invalid class`	Null value for turning off event preselection
`nt`	`network`	Network events: `bind`, `connect`, `accept`
`ot`	`other`	Miscellaneous, such as device allocation and `memcntl()`
`pc`	`process`	Process (metaclass)
`pm`	`process modify`	Process modify
`ps`	`process start/stop`	Process start and process stop
`ss`	`change system state`	Change system state
`ua`	`user administration`	User administration
Trusted Extensions classes	`xc`, `xp`, `xs`, and `xx`	Chapter 24, Trusted Extensions Auditing (Overview), in Oracle Solaris Trusted Extensions Configuration and Administration

You can define new classes by modifying the /etc/security/audit_class file. You can also rename existing classes. For more information, see the audit_class(4) man page and How to Add an Audit Class.

Audit Class Syntax

Events in an audit class can be audited for success, events can be audited for failure, and events can be audited for both. Without a prefix, a class of events is audited for success and for failure. With a plus (+) prefix, a class of events is audited for success only. With a minus (-) prefix, a class of events is audited for failure only. The following table shows some possible representations of audit classes.

Table 31-2 Plus and Minus Prefixes to Audit Classes

`[prefix]class`	Explanation
`lo`	Audit all successful attempts to log in and log out, and all failed attempts to log in. A user cannot fail an attempt to log out. This class includes screenlock and role assumption. For details, run the `auditrecord -c lo` command.
`+lo`	Audit all successful attempts to log in and log out.
`-all`	Audit all failed events.
`+all`	Audit all successful events.

Caution - The all class can generate large amounts of data and quickly fill up disks. Use the all class only if you have extraordinary reasons to audit all activities.

Audit classes that were previously selected can be further modified by a caret prefix, ^. The following table shows how the caret prefix modifies a preselected audit class.

Table 31-3 Caret Prefix That Modifies Already-Specified Audit Classes

`^`[`prefix`]`class`	Explanation
`-all,^-fc`	Audit all failed events, except do not audit failed attempts to create file objects
`ad,^+aa`	Audit all administrative events for success and for failure, except do not audit successful attempts to use auditing
`am,^ua`	Audit all administrative events for success and for failure, except do not audit user administration events

The audit classes and their prefixes can be specified in the following commands:

As arguments to the auditconfig command options -setflags and -setnaflags.
As values for the p_flags parameter to the audit_syslog plugin. You specify the parameter as an option to the auditconfig -setplugin audit_syslog active command.
As values for always-audit-flags:always-never-audit-flags when the profiles, useradd, usermod, roleadd, or rolemod command is used to specify user exceptions to the system-wide audit mask. The values are specified by using the -K audit_flags option.

Skip Navigation Links
Exit Print View
	System Administration Guide: Security Services Oracle Solaris 11 Express 11/10