audit_tags(5)
Name
audit_tags - audit tag definitions
Synopsis
/etc/security/audit_tags
Description
The /etc/security/audit_tags file is a local source for tags used in the
audit system. The audit_tags file can be used with other tag sources (see
FILES). Audit tags can be used in audit trail output post-selection to filter records at a
high level, typically at a subsystem level such as selecting only network-related events, or
filesystem only events. See auditreduce(8) for more information. The auditreduce(8) command also allows specifying an alternate audit tags file.
Each tag is composed of one or more tag entries. The fields for each tag entry are
separated by colons. Each tag entry is separated from each other by a new line.
Each entry in the audit_tags file has the following form:
provider:name:type:value
The fields are defined as follows:
- provider
creator of the entry (company or software name, etc.)
- name
tag name
- type
one of: event, class,
path, priv, or
auth
- value
name or other value to be matched in the record.
This might be in the form of a Perl-compatible regular expression (see
pcresyntax(3)).
A value delimited by double quotes is interpreted as a PCRE.
Description of allowed types:
- event
-
matches all records with the specified event name. See audit_event(5) for more information.
- class
-
matches all records which belong to the specified class. See audit_class(5) for more information.
- path
-
matches all records containing the specified path name.
- priv
-
matches all records containing the specified privilege name. See privileges(7) for more information.
- auth
-
matches all records containing the specified authorization name. See
auth_attr(5)
Tag names are listed with the auditconfig command. For more
information, see the auditconfig(8) man page.
Default matching behavior (when the value field is not a regular expression) is
case-insensitive matching for strings. For example, path,
priv, and auth, where the substring specified in the
value field must be contained within the corresponding name in the
audit record. Values for other types are also case-insensitive.
Lines beginning with # are comments; each line contains one entry as
part of a tag definition. Tags are defined by any number of entries. If a given record matches
any entry then the tag corresponding to that entry applies to the record.
Tags may overlap, that is, an audit record may match one or more tags; an
event or class (etc) may be listed for more than one
tag. Tag definitions need not be minimal. There can be some redundancy.
Tag and provider names may each be up to AU_TAGS_NAME_MAX characters.
The value field may come up to AU_TAGS_VALUE_MAX characters. See
<security/libaudit.h> for more information.
Examples
Example 1 Using the
event type:
solaris:net:event:AUE_netcfg_update
This entry specifies that the AUE_netcfg_update audit event matches
the net tag.
Example 2 Tags with multiple entries:
The following entries compose a definition for the file tag:
solaris:file:class:fa
solaris:file:priv:file_
The first entry specifies that any record in the fa class matches or
belongs to the file tag. The next entry explains that any record which
has a privilege string that includes the value file_* also matches the
file tag.
Example 3 Using a regular expression:
solaris:dump:path:"[\S]*/coreadm$"
This entry specifies that an event with a path token having a final
component file name of coreadm matches the dump
tag.
Files
- /etc/security/audit_tags
-
Locally added entries. Make sure that the shipped header remains intact.
- /etc/security/audit_tags.d/*
-
Entries added by package installation.
Attributes
See attributes(7) for descriptions of the following attributes:
|
|
Interface Stability |
See below. |
|
The file format stability is Committed. The file content is Uncommitted.
See Also
audit_class(5),
audit_event(5),
auth_attr(5),
attributes(7),
privileges(7),
auditconfig(8)
History
audit_tags were added in Oracle Solaris 11.4.0.