Go to main content

man pages section 5: File Formats

Exit Print View

Updated: Thursday, June 13, 2019
 
 

audit_event(5)

Name

audit_event - audit event definition and class mapping

Synopsis

/etc/security/audit_event

Description

/etc/security/audit_event is a user-configurable ASCII system file that stores event definitions used in the audit system. As part of this definition, each event is mapped to one or more of the audit classes defined in audit_class(5). See auditconfig(8) and user_attr(5) for information about changing the preselection of audit classes in the audit system.

The fields for each event entry are separated by colons. Each event is separated from the next by a NEWLINE. Each entry in the audit_event file has the form:


event-number:event-name:event-description:event-classes

The fields are defined as follows:

event-number

Event number. Ranges for event number are assigned as follows:

0

Reserved as an invalid event number.

1-2047

Reserved for the Solaris Kernel events. The kernel event table, and possibly MAX_KEVENTS, must be updated in audit_kevents.h when changes are made to kernel events. Allocation of Solaris Kernel events:

0

The kernel event table must start with AUE_NULL

1-511

Allocated for Solaris

512-2047

Reserved but not allocated

2048-65535

Allocated for user level audit events. Allocation of user level audit events:

2048-5999

Reserved but not allocated

6000-9999

Allocated for Solaris

10000-32767

Reserved but not allocated

32768-65535

Available for third party applications

event-name

Event name.

event-description

Event description.

event-classes

Specifies classes to which the event is mapped. Classes are comma separated, without spaces and may be added for any event other than those with the no class.

Obsolete events are commonly assigned to the special class no (invalid) to indicate they are no longer generated. Obsolete events are retained to process old audit trail files. Other events which are not obsolete may also be assigned to the no class.

Examples

Example 1 Using the audit_event File

The following is an example of some audit_event file entries:

7:AUE_EXEC:exec(2):ps,ex
79:AUE_OPEN_WTC:open(2) - write,creat,trunc:fc,fd,fw
6152:AUE_login:login - local:lo
6153:AUE_logout:logout:lo
6154:AUE_telnet:login - telnet:lo
6155:AUE_rlogin:login - rlogin:lo

Attributes

See attributes(7) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Interface Stability
See below.

The file format stability is Committed. The file content is Uncommitted.

Files

/etc/security/audit_event

See Also

audit_class(5), user_attr(5), auditconfig(8)

Notes

This functionality is available only if Solaris Auditing has been enabled.

For changes to this file to be effective immediately, refresh svc:/system/auditset:default. For example:

# svcadm refresh svc:/system/auditset:default

Third party developers wishing to use the audit interfaces must contact the Solaris Audit team through their Oracle representative.