/etc/security/audit_event is a user-configurable ASCII system file that stores event definitions used in the audit system. As part of this definition, each event is mapped to one or more of the audit classes defined in audit_class(4). See auditconfig(1M) and user_attr(4) for information about changing the preselection of audit classes in the audit system.
The fields for each event entry are separated by colons. Each event is separated from the next by a NEWLINE. Each entry in the audit_event file has the form:
The fields are defined as follows:
Event number ranges are assigned as follows:
Reserved as an invalid event number.
Reserved for the Solaris Kernel events.
Reserved for the Solaris TCB programs.
Available for third party TCB applications.
System administrators must not add, delete, or modify (except to change the class mapping), events with an event number less than 32768. These events are reserved by the system.
Flags specifying classes to which the event is mapped. Classes are comma separated, without spaces.
Obsolete events are commonly assigned to the special class no (invalid) to indicate they are no longer generated. Obsolete events are retained to process old audit trail files. Other events which are not obsolete may also be assigned to the no class.
The following is an example of some audit_event file entries:
7:AUE_EXEC:exec(2):ps,ex 79:AUE_OPEN_WTC:open(2) - write,creat,trunc:fc,fd,fw 6152:AUE_login:login - local:lo 6153:AUE_logout:logout:lo 6154:AUE_telnet:login - telnet:lo 6155:AUE_rlogin:login - rlogin:lo
See attributes(5) for descriptions of the following attributes:
The file format stability is Committed. The file content is Uncommitted.
This functionality is available only if Solaris Auditing has been enabled.