Go to main content

man pages section 5: File Formats

Exit Print View

Updated: Thursday, June 13, 2019
 
 

audit_tags (5)

Name

audit_tags - audit tag definitions

Synopsis

/etc/security/audit_tags

Description

The /etc/security/audit_tags is a local source for tags used in the audit system. The audit_tags file can be used with other tag sources (see FILES). Audit tags can be used in audit trail output post-selection to filter records at a high level, typically at a subsystem level such as selecting only network-related events, or filesystem only events. See auditreduce(8) command for more information. The auditreduce(8) command also allows specifying an alternate audit tags file.

Each tag is composed of one or more tag entries. The fields for each tag entry are separated by colons. Each tag entry is separated from each other by a new line.

Each entry in the audit_tags file has the following form:

provider:name:type:value

The fields are defined as follows:

provider

creator of the entry (company or software name, etc.)

name

tag name

type

one of: event, class, path, priv, or auth

value

name or other value to be matched in the record. This might be in the form of a Perl-compatible regular expression (see PCRE(3)). A value delimited by double quotes is interpreted as a PCRE

Description of allowed types:

event

matches all records with the specified event name. See audit_event(5) for more information.

class

matches all records which belong to the specified class. See audit_class(5) for more information.

path

matches all records containing the specified path name.

priv

matches all records containing the specified privilege name. See privileges(7) for more information.

auth

matches all records containing the specified authorization name. See auth_attr(5)

Tag names are listed with the auditconfig command. For more information, see the auditconfig(8) man page.

Default matching behavior (when the value field is not a regular expression) is case-insensitive matching for strings. For example, path, priv, and auth, where the substring specified in the value field must be contained within the corresponding name in the audit record. Values for other types are also case-insensitive.

Lines beginning with # are comments; each line contains one entry as part of a tag definition. Tags are defined by any number of entries. If a given record matches any entry then the tag corresponding to that entry applies to the record.

Tags may overlap, that is, an audit record may match one or more tags; an event or class (etc) may be listed for more than one tag. Tag definitions need not be minimal. There can be some redundancy.

Tag and provider names may each come up to AU_TAGS_NAME_MAX characters. The value field may come up to AU_TAGS_VALUE_MAX characters. See <security/libaudit.h> for more information.

Examples

Example 1 Using event type:
solaris:net:event:AUE_netcfg_update

This entry specifies that the AUE_netcfg_update audit event matches the net tag.

Example 2 Tags with multiple entries:

The following entries compose a definition for the file tag:

solaris:file:class:fa
solaris:file:priv:file_

The first entry specifies that any record in the fa class matches or belongs to the file tag. The next entry explains that any record which has a privilege string that includes the value file_* also matches the file tag.

Example 3 Using an expression:
solaris:dump:path:"[\S]*/coreadm$"

This entry specifies that an event with a path token having a final component file name of coreadm matches the dump tag.

Files

/etc/security/audit_tags

Locally added entries. Make sure that the shipped header remains intact.

/etc/security/audit_tags.d/*

Entries added by package installation.

Attributes

See attributes(7) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Interface Stability
See below.

The file format stability is Committed. Whereas, the file content is Uncommitted.

See Also

audit_class(5), audit_event(5), auth_attr(5), attributes(7), privileges(7), auditconfig(8)