audit_event(4)

NAME

     audit_event - audit event definition and class mapping

SYNOPSIS

     /etc/security/audit_event

DESCRIPTION

     /etc/security/audit_event is a user-configurable ASCII  sys-
     tem  file  that  stores  event definitions used in the audit
     system. As part of this definition, each event is mapped  to
     one  or more of the audit classes defined in audit_class(4).
     See audit_control(4) and audit_user(4) for information about
     changing the preselection of audit classes in the audit sys-
     tem. Programs  can  use  the  getauevent(3BSM)  routines  to
     access audit event information.

     The fields for each event entry  are  separated  by  colons.
     Each  event  is  separated from the next by a <NEWLINE>.Each
     entry in the audit_event file has the form:

     number:name:description:flags

     The fields are defined as follows:

     number
           Event number.

           Event number ranges are assigned as follows:

           0     Reserved as an invalid event number.

           1-2047
                 Reserved for the Solaris Kernel events.

           2048-32767
                 Reserved for the Solaris TCB programs.

           32768-65535
                 Available for third party TCB applications.

                 System administrators must not add,  delete,  or
                 modify  (except  to  change  the class mapping),
                 events with an event  number  less  than  32768.
                 These events are reserved by the system.

     name  Event name.

     description
           Event description.

     flags Flags specifying classes to which the event is mapped.
           Classes are comma separated, without spaces.

           Obsolete events are commonly assigned to  the  special
           class no (invalid) to indicate they are no longer gen-
           erated. Obsolete events are retained  to  process  old
           audit trail files. Other events which are not obsolete
           may also be assigned to the no class.

EXAMPLES

     Example 1: Using the audit_event File

     The  following  is  an  example  of  some  audit_event  file
     entries:

     7:AUE_EXEC:exec(2):ps,ex
     79:AUE_OPEN_WTC:open(2) - write,creat,trunc:fc,fd,fw
     6152:AUE_login:login - local:lo
     6153:AUE_logout:logout:lo
     6154:AUE_telnet:login - telnet:lo
     6155:AUE_rlogin:login - rlogin:lo

ATTRIBUTES

     See attributes(5) for descriptions of the  following  attri-
     butes:

     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | Interface Stability         |  See below                  |
    |_____________________________|_____________________________|

     The file format stability is evolving. The file  content  is
     unstable.

FILES

     /etc/security/audit_event

SEE ALSO

     bsmconv(1M),        getauevent(3BSM),        audit_class(4),
     audit_control(4), audit_user(4)

NOTES

     This functionality is available only if the  Basic  Security
     Module  (BSM)  has  been  enabled.  See bsmconv(1M) for more
     information.