audit_class - audit class definitions
/etc/security/audit_class is an administrator configurable system file that stores class definitions used in the audit system. Audit events in audit_event(5) are mapped to one or more of the defined audit classes. audit_event can be updated in conjunction with changes to audit_class. See auditconfig(8) and user_attr(5) for information about changing the preselection of audit classes in the audit system.
The fields for each class entry are separated by colons. Each class entry is a bitmap and is separated from each other by a NEWLINE .
Each entry in the audit_class file has the form:
The fields are defined as follows:
Each class is represented as a bit in the 64 bit class mask. There are 64 different classes available. Meta-classes can also be defined. Meta-classes are supersets composed of multiple base classes, and have more than 1 bit in mask. See EXAMPLES.
Two special meta-classes are pre-defined: all and no.
Represents a conjunction of all allowed classes, and is provided as a shorthand method of specifying all classes.
Is the invalid class, and any event mapped solely to this class are not audited. Turning auditing on to the all meta-class does not cause events mapped solely to the no class to be written to the audit trail. This class is also used to map obsolete events which are no longer generated. Obsolete events are retained to process old audit trails files.
The mask positions 0xff00000000000000 are reserved for local site use.
The following is an example of an audit_class file:
0x0000000000000000:no:invalid class 0x0000000000000001:fr:file read 0x0000000000000002:fw:file write 0x0000000000000004:fa:file attribute access 0x0000000000000008:fm:file attribute modify 0x0000000000000010:fc:file create 0x0000000000000020:fd:file delete 0x0000000000000040:cl:file close 0x0000000000000080:ft:file transfer 0x0000000000000100:nt:network 0x0000000000000200:ip:ipc 0x0000000000000400:na:non-attribute 0x0000000000001000:lo:login or logout 0x0000000000004000:ap:application 0x00000000000f0000:ad:old administrative (meta-class) 0x0000000000070000:am:administrative (meta-class) 0x0000000000010000:ss:change system state 0x0000000000020000:as:system-wide administration 0x0000000000040000:ua:user administration 0x0000000000080000:aa:audit utilization 0x0000000000300000:pc:process (meta-class) 0x0000000000100000:ps:process start/stop 0x0000000000200000:pm:process modify 0x0000000020000000:io:ioctl 0x0000000040000000:ex:exec 0x0000000080000000:ot:other 0xffffffffffffffff:all:all classes (meta-class)
See attributes(7) for descriptions of the following attributes:
The file format stability is Committed. The file content is Uncommitted.
Redefining the no class to have a non-zero value can have undesirable side effects.
For changes to this file to be effective immediately, refresh svc:/system/auditset:default. For example:
# svcadm refresh svc:/system/auditset:default
The auditrecord –c <class list> displays the audit records in that class/meta-class.