Audit events represent auditable actions on a system. Audit events are listed in the /etc/security/audit_event file. Each audit event is connected to a system call or user command, and is assigned to one or more audit classes. For a description of the format of the audit_event file, see the audit_event (4) man page.
For example, the AUE_EXECVE audit event audits the execve() system call. The command auditrecord -e execve displays this entry:
# auditrecord -e execve execve system call execve See execve(2) event ID 23 AUE_EXECVE class ps,ex (0x0000000040100000) header path [attribute] omitted on error [exec_arguments] output if argv policy is set [exec_environment] output if arge policy is set subject [use_of_privilege] return
When you preselect either the audit class ps or the audit class ex, then every execve() system call is recorded in the audit queue.
Auditing handles attributable and non-attributable events. Audit policy divides events into synchronous and asynchronous events, as follows:
Attributable events – Events that can be attributed to a user. The execve() system call can be attributed to a user, so the call is considered an attributable event. All attributable events are synchronous events.
Non-attributable events – Events that occur at the kernel-interrupt level or before a user is authenticated. The na audit class handles audit events that are non-attributable. For example, booting the system is a non-attributable event. Most non-attributable events are asynchronous events. However, non-attributable events that have associated processes, such as a failed login, are synchronous events.
Synchronous events – Events that are associated with a process in the system. Synchronous events are the majority of system events.
Asynchronous events – Events that are not associated with any process, so no process is available to be blocked and later started. Initial system boot and PROM enter and exit events are examples of asynchronous events.
In addition to the audit events that are defined by the audit service, third-party applications can generate audit events. Audit event numbers from 32768 to 65535 are available for third-party applications. Vendors need to contact their Oracle Solaris representative to reserve event numbers and obtain access to the audit interfaces.