JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
System Administration Guide: Security Services     Oracle Solaris 10 8/11 Information Library
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Controlling Access to Devices (Tasks)

5.  Using the Basic Audit Reporting Tool (Tasks)

6.  Controlling Access to Files (Tasks)

7.  Using the Automated Security Enhancement Tool (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Role-Based Access Control (Reference)

11.  Privileges (Tasks)

12.  Privileges (Reference)

Part IV Cryptographic Services

13.  Oracle Solaris Cryptographic Framework (Overview)

14.  Oracle Solaris Cryptographic Framework (Tasks)

15.  Oracle Solaris Key Management Framework

Part V Authentication Services and Secure Communication

16.  Using Authentication Services (Tasks)

17.  Using PAM

18.  Using SASL

19.  Using Oracle Solaris Secure Shell (Tasks)

20.  Oracle Solaris Secure Shell (Reference)

Part VI Kerberos Service

21.  Introduction to the Kerberos Service

22.  Planning for the Kerberos Service

23.  Configuring the Kerberos Service (Tasks)

24.  Kerberos Error Messages and Troubleshooting

25.  Administering Kerberos Principals and Policies (Tasks)

26.  Using Kerberos Applications (Tasks)

27.  The Kerberos Service (Reference)

Part VII Oracle Solaris Auditing

28.  Oracle Solaris Auditing (Overview)

29.  Planning for Oracle Solaris Auditing

30.  Managing Oracle Solaris Auditing (Tasks)

31.  Oracle Solaris Auditing (Reference)

Audit Commands

auditd Daemon

audit Command

bsmrecord Command

auditreduce Command

praudit Command

auditconfig Command

Files Used in the Audit Service

system File

syslog.conf File

audit_class File

audit_control File

audit_event File

audit_startup Script

audit_user Database

audit_warn Script

bsmconv Script

Rights Profiles for Administering Auditing

Auditing and Oracle Solaris Zones

Audit Classes

Definitions of Audit Classes

Audit Class Syntax

Audit Plugins

Audit Policy

Proscess Audit Characteristics

Audit Trail

Conventions for Binary Audit File Names

Binary Audit File Names

Binary Audit File Timestamps

Audit Record Structure

Audit Record Analysis

Audit Token Formats

acl Token

arbitrary Token (Obsolete)

arg Token

attribute Token

cmd Token

exec_args Token

exec_env Token

exit Token (Obsolete)

file Token

group Token (Obsolete)

groups Token

header Token

ip_addr Token

ip Token (Obsolete)

ipc Token

ipc_perm Token

iport Token

opaque Token (Obsolete)

path Token

path_attr Token

privilege Token

process Token

return Token

sequence Token

socket Token

subject Token

text Token

trailer Token

uauth Token

upriv Token

zonename Token

Glossary

Index

Audit Classes

System-wide defaults for Oracle Solaris auditing are preselected by specifying one or more classes of events. The classes are preselected for each system in the system's audit_control file. Anyone who uses the system is audited for these classes of events. The file is described in audit_control File.

You can configure audit classes and make new audit classes. Audit class names can be up to 8 characters in length. The class description is limited to 72 characters. Numeric and non-alphanumeric characters are allowed.

You can modify what is audited for individual users by adding audit classes to a user's entry in the audit_user database. The audit classes are also used as arguments to the auditconfig command. For details, see the auditconfig(1M) man page.

Definitions of Audit Classes

The following table shows each predefined audit class, the descriptive name for each audit class, and a short description.

Table 31-1 Predefined Audit Classes

Audit Class
Descriptive Name
Description
all
all
All classes (metaclass)
no
no_class
Null value for turning off event preselection
na
non_attrib
Nonattributable events
fr
file_read
Read of data, open for reading
fw
file_write
Write of data, open for writing
fa
file_attr_acc
Access of object attributes: stat, pathconf
fm
file_attr_mod
Change of object attributes: chown, flock
fc
file_creation
Creation of object
fd
file_deletion
Deletion of object
cl
file_close
close system call
ap
application
Application-defined event
ad
administrative
Administrative actions (old administrative metaclass)
am
administrative
Administrative actions (metaclass)
ss
system state
Change system state
as
system-wide administration
System-wide administration
ua
user administration
User administration
aa
audit administration
Audit utilization
ps
process start
Process start and process stop
pm
process modify
Process modify
pc
process
Process (metaclass)
ex
exec
Program execution
io
ioctl
ioctl() system call
ip
ipc
System V IPC operations
lo
login_logout
Login and logout events
nt
network
Network events: bind, connect, accept
ot
other
Miscellaneous, such as device allocation and memcntl()

You can define new classes by modifying the /etc/security/audit_class file. You can also rename existing classes. For more information, see the audit_class(4) man page.

Audit Class Syntax

Events can be audited for success, events can be audited for failure, and events can be audited for both. Without a prefix, a class of events is audited for success and for failure. With a plus (+) prefix, a class of events is audited for success only. With a minus (-) prefix, a class of events is audited for failure only. The following table shows some possible representations of audit classes.

Table 31-2 Plus and Minus Prefixes to Audit Classes

[prefix]class
Explanation
lo
Audit all successful attempts to log in and log out, and all failed attempts to log in. A user cannot fail an attempt to log out.
+lo
Audit all successful attempts to log in and log out.
-all
Audit all failed events.
+all
Audit all successful events.
Caution

Caution - The all class can generate large amounts of data and quickly fill audit file systems. Use the all class only if you have extraordinary reasons to audit all activities.

Audit classes that were previously selected can be further modified by a caret prefix, ^. The following table shows how the caret prefix modifies a preselected audit class.

Table 31-3 Caret Prefix That Modifies Already-Specified Audit Classes

^[prefix]class
Explanation
-all,^-fc
Audit all failed events, except do not audit failed attempts to create file objects
am,^+aa
Audit all administrative events for success and for failure, except do not audit successful attempts to administer auditing
am,^ua
Audit all administrative events for success and for failure, except do not audit user administration events

The audit classes and their prefixes can be used in the following files and commands:

See audit_control File for an example of using the prefixes in the audit_control file.

Copyright © 2002, 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next