AUDIT_EVENT(5) File Formats and Configurations AUDIT_EVENT(5)
audit_event - audit event definition and class mapping
/etc/security/audit_event
/etc/security/audit_event is a user-configurable ASCII system file
that stores event definitions used in the audit system. As part of
this definition, each event is mapped to one or more of the audit
classes defined in audit_class(5). Programs can use the
getauevent(3BSM) routines to access audit event information.
The fields for each event entry are separated by colons. Each event
is separated from the next by a NEWLINE.Each entry in the audit_event
file has the form:
number:name:description:flags
The fields are defined as follows:
number
Event number.
Event number ranges are assigned as follows:
0
Reserved as an invalid event number.
1-2047
Reserved for the Solaris Kernel events.
2048-32767
Reserved for the Solaris TCB programs.
32768-65535
Available for third party TCB
applications.
System administrators must not add,
delete, or modify (except to change the
class mapping), events with an event
number less than 32768. These events
are reserved by the system.
name
Event name.
description
Event description.
flags
Flags specifying classes to which the event is mapped.
Classes are comma separated, without spaces.
Obsolete events are commonly assigned to the special
class no (invalid) to indicate they are no longer
generated. Obsolete events are retained to process old
audit trail files. Other events which are not obsolete
may also be assigned to the no class.
The following is an example of some audit_event file entries:
7:AUE_EXEC:exec(2):ps,ex
79:AUE_OPEN_WTC:open(2) - write,creat,trunc:fc,fd,fw
6152:AUE_login:login - local:lo
6153:AUE_logout:logout:lo
6154:AUE_telnet:login - telnet:lo
6155:AUE_rlogin:login - rlogin:lo
See attributes(7) for descriptions of the following attributes:
+---------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+---------------------+-----------------+
|Interface Stability | See below. |
+---------------------+-----------------+
The file format stability is Committed. The file content is
Uncommitted.
/etc/security/audit_event
getauevent(3BSM), audit_class(5)
March 6, 2017 AUDIT_EVENT(5)
NAME
audit_event - audit event definition and class mapping
SYNOPSIS
/etc/security/audit_event
DESCRIPTION
/etc/security/audit_event is a user-configurable ASCII system file
that stores event definitions used in the audit system. As part of
this definition, each event is mapped to one or more of the audit
classes defined in audit_class(5). Programs can use the
getauevent(3BSM) routines to access audit event information.
The fields for each event entry are separated by colons. Each event
is separated from the next by a NEWLINE.Each entry in the audit_event
file has the form:
number:name:description:flags
The fields are defined as follows:
number
Event number.
Event number ranges are assigned as follows:
0
Reserved as an invalid event number.
1-2047
Reserved for the Solaris Kernel events.
2048-32767
Reserved for the Solaris TCB programs.
32768-65535
Available for third party TCB
applications.
System administrators must not add,
delete, or modify (except to change the
class mapping), events with an event
number less than 32768. These events
are reserved by the system.
name
Event name.
description
Event description.
flags
Flags specifying classes to which the event is mapped.
Classes are comma separated, without spaces.
Obsolete events are commonly assigned to the special
class no (invalid) to indicate they are no longer
generated. Obsolete events are retained to process old
audit trail files. Other events which are not obsolete
may also be assigned to the no class.
EXAMPLES
Example 1: Using the audit_event File
The following is an example of some audit_event file entries:
7:AUE_EXEC:exec(2):ps,ex
79:AUE_OPEN_WTC:open(2) - write,creat,trunc:fc,fd,fw
6152:AUE_login:login - local:lo
6153:AUE_logout:logout:lo
6154:AUE_telnet:login - telnet:lo
6155:AUE_rlogin:login - rlogin:lo
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
+---------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+---------------------+-----------------+
|Interface Stability | See below. |
+---------------------+-----------------+
The file format stability is Committed. The file content is
Uncommitted.
FILES
/etc/security/audit_event
SEE ALSO
getauevent(3BSM), audit_class(5)
March 6, 2017 AUDIT_EVENT(5)