Go to main content

man pages section 5: File Formats

Exit Print View

Updated: Wednesday, February 10, 2021

audit_tags (5)


audit_tags - audit tag definitions




The /etc/security/audit_tags is a local source for tags used in the audit system. The audit_tags file can be used with other tag sources (see FILES). Audit tags can be used in audit trail output post-selection to filter records at a high level, typically at a subsystem level such as selecting only network-related events, or filesystem only events. See auditreduce(8) command for more information. The auditreduce(8) command also allows specifying an alternate audit tags file.

Each tag is composed of one or more tag entries. The fields for each tag entry are separated by colons. Each tag entry is separated from each other by a new line.

Each entry in the audit_tags file has the following form:


The fields are defined as follows:


creator of the entry (company or software name, etc.)


tag name


one of: event, class, path, priv, or auth


name or other value to be matched in the record. This might be in the form of a Perl-compatible regular expression (see PCRE(3)). A value delimited by double quotes is interpreted as a PCRE

Description of allowed types:


matches all records with the specified event name. See audit_event(5) for more information.


matches all records which belong to the specified class. See audit_class(5) for more information.


matches all records containing the specified path name.


matches all records containing the specified privilege name. See privileges(7) for more information.


matches all records containing the specified authorization name. See auth_attr(5)

Tag names are listed with the auditconfig command. For more information, see the auditconfig(8) man page.

Default matching behavior (when the value field is not a regular expression) is case-insensitive matching for strings. For example, path, priv, and auth, where the substring specified in the value field must be contained within the corresponding name in the audit record. Values for other types are also case-insensitive.

Lines beginning with # are comments; each line contains one entry as part of a tag definition. Tags are defined by any number of entries. If a given record matches any entry then the tag corresponding to that entry applies to the record.

Tags may overlap, that is, an audit record may match one or more tags; an event or class (etc) may be listed for more than one tag. Tag definitions need not be minimal. There can be some redundancy.

Tag and provider names may each come up to AU_TAGS_NAME_MAX characters. The value field may come up to AU_TAGS_VALUE_MAX characters. See <security/libaudit.h> for more information.


Example 1 Using event type:

This entry specifies that the AUE_netcfg_update audit event matches the net tag.

Example 2 Tags with multiple entries:

The following entries compose a definition for the file tag:


The first entry specifies that any record in the fa class matches or belongs to the file tag. The next entry explains that any record which has a privilege string that includes the value file_* also matches the file tag.

Example 3 Using an expression:

This entry specifies that an event with a path token having a final component file name of coreadm matches the dump tag.



Locally added entries. Make sure that the shipped header remains intact.


Entries added by package installation.


See attributes(7) for descriptions of the following attributes:

Interface Stability
See below.

The file format stability is Committed. Whereas, the file content is Uncommitted.

See Also

audit_class(5), audit_event(5), auth_attr(5), attributes(7), privileges(7), auditconfig(8)