The /etc/security/audit_tags is a local source for tags used in the
audit system. The audit_tags file can be used with other tag sources (see
FILES). Audit tags can be used in audit trail output post-selection to filter records at a
high level, typically at a subsystem level such as selecting only network-related events, or
filesystem only events. See auditreduce(8) command for more information. The auditreduce(8) command also allows specifying an alternate audit tags file.
Each tag is composed of one or more tag entries. The fields for each tag entry are
separated by colons. Each tag entry is separated from each other by a new line.
Each entry in the audit_tags file has the following form:
The fields are defined as follows:
creator of the entry (company or software name, etc.)
one of: event, class, path,
priv, or auth
name or other value to be matched in the record. This might be in the form of a
Perl-compatible regular expression (see PCRE(3)). A value delimited by double quotes is
interpreted as a PCRE
Description of allowed types:
matches all records with the specified event name. See audit_event(5) for more information.
matches all records which belong to the specified class. See audit_class(5) for more information.
matches all records containing the specified path name.
matches all records containing the specified privilege name. See privileges(7) for more information.
matches all records containing the specified authorization name. See auth_attr(5)
Tag names are listed with the auditconfig command. For more
information, see the auditconfig(8) man page.
Default matching behavior (when the value field is not a regular expression) is
case-insensitive matching for strings. For example, path,
priv, and auth, where the substring specified in the
value field must be contained within the corresponding name in the
audit record. Values for other types are also case-insensitive.
Lines beginning with # are comments; each line contains one entry as
part of a tag definition. Tags are defined by any number of entries. If a given record matches
any entry then the tag corresponding to that entry applies to the record.
Tags may overlap, that is, an audit record may match one or more tags; an
event or class (etc) may be listed for more than one
tag. Tag definitions need not be minimal. There can be some redundancy.
Tag and provider names may each come up to AU_TAGS_NAME_MAX characters.
The value field may come up to AU_TAGS_VALUE_MAX characters. See
<security/libaudit.h> for more information.
Example 1 Using event type:
This entry specifies that the AUE_netcfg_update audit event matches
the net tag.
Example 2 Tags with multiple entries:
The following entries compose a definition for the file tag:
The first entry specifies that any record in the fa class matches or
belongs to the file tag. The next entry explains that any record which
has a privilege string that includes the value file_* also matches the
Example 3 Using an expression:
This entry specifies that an event with a path token having a final
component file name of coreadm matches the dump
Locally added entries. Make sure that the shipped header remains intact.