The following terms are used to describe the audit service. Some definitions include pointers to more complete descriptions.
An audit class that is supplied as an argument to a command or keyword. A flag can be prefixed by a plus sign or minus sign to indicate that the class is audited for success (+) or failure (-). A preceding caret (^) indicates that a success is not to be audited (^+) or a failure is not to be audited (^-).
A module that transfers the audit records in the queue to a specified location. The audit_binfile plugin creates binary audit files. Binary files comprise the audit trail, which is stored on audit file systems. The audit_remote plugin sends binary audit records to a remote repository. The audit_syslog plugin summarizes selected audit records in the syslog logs.
A set of auditing options that you can enable or disable at your site. You can specify whether to record certain kinds of audit data, and whether to suspend auditable actions when the audit queue is full.
For more information, see Audit Trail.
For more information, see Audit Plugin Modules.
The choice of which audit events to examine in the audit trail. The default active plugin, audit_binfile, creates the audit trail. A post-selection tool, the auditreduce command, selects records from the audit trail.
The choice of which audit classes to monitor. The audit events of preselected audit classes are collected in the audit queue. Audit classes that are not preselected are not audited, so their events do not appear in the queue.
A file that is owned by the root user and readable by the world. For example, files in the /etc directory and the /usr/bin directory are public objects. Public objects are not audited for read-only events. For example, even if the file_read (fr) audit class is preselected, the reading of public objects is not audited. You can override the default by changing the public audit policy option.
The audit remote server (ARS) that receives and stores audit records from a system that is being audited and is configured with an active audit_remote plugin. To distinguish an audited system from an ARS, the audited system can be referred to as the “locally audited system.”