Go to main content

Managing Auditing in Oracle® Solaris 11.3

Exit Print View

Updated: December 2018
 
 

Audit Classes

Oracle Solaris defines audit classes as convenient containers for large numbers of audit events.

You can reconfigure audit classes and make new audit classes. Audit class names can be up to 8 characters in length. The class description is limited to 72 characters. Numeric and non-alphanumeric characters are allowed. For more information, see the audit_class(4) man page and How to Add an Audit Class.


Caution

Caution  - The all class can generate large amounts of data and quickly fill disks. Use the all class only if you have extraordinary reasons to audit all activities.


Audit Class Syntax

    Events in an audit class can be audited for success, for failure, and for both.

  • Without a prefix, a class of events is audited for success and for failure.

  • With a plus (+) prefix, a class of events is audited for success only.

  • With a minus (-) prefix, a class of events is audited for failure only.

  • To modify a current preselection, add a caret (^) preceding a prefix or an audit flag. For example:

    • If ot is preselected for the system, and a user's preselection is ^ot, that user is not audited for events in the other class.

    • If +ot is preselected for the system, and a user's preselection is ^+ot, that user is not audited for successful events in the other class.

    • If -ot is preselected for the system, and a user's preselection is ^-ot, that user is not audited for failed events in the other class.

To review the syntax of audit class preselection, see the audit_flags(5) man page.

    The audit classes and their prefixes can be specified in the following commands:

  • As arguments to the auditconfig command options –setflags and –setnaflags.

  • As values for the p_flags attribute to the audit_syslog plugin. You specify the attribute as an option to the auditconfig -setplugin audit_syslog active command.

  • As values for the –K audit_flags=always-audit-flags:never-audit-flags option to the useradd, usermod, roleadd, and rolemod commands.

  • As values for the –always_audit and –never_audit properties of the profiles command.