1 AUDIT_CLASS(4) File Formats and Configurations AUDIT_CLASS(4) 2 3 4 5 NAME 6 audit_class - audit class definitions 7 8 SYNOPSIS 9 /etc/security/audit_class 10 11 12 DESCRIPTION 13 /etc/security/audit_class is a user-configurable ASCII system file that 14 stores class definitions used in the audit system. Audit events in 15 audit_event(4) are mapped to one or more of the defined audit classes. 16 audit_event can be updated in conjunction with changes to audit_class. 17 Programs can use the getauclassent(3BSM) routines to access audit class 18 information. 19 20 21 The fields for each class entry are separated by colons. Each class 22 entry is a bitmap and is separated from each other by a newline. 23 24 25 Each entry in the audit_class file has the form: 26 27 mask:name:description 28 29 30 31 The fields are defined as follows: 32 33 mask 34 class mask 35 36 37 name 38 class name 39 40 41 description 42 class description 43 44 45 46 Each class is represented as a bit in the class mask which is an 47 unsigned integer. Thus, there are 32 different classes available. Meta- 48 classes can also be defined. These are supersets composed of multiple 49 base classes, and thus will have more than 1 bit in its mask. See 50 Examples. Two special meta-classes are also pre-defined: all, and no. 51 52 all 53 Represents a conjunction of all allowed classes, and is provided 54 as a shorthand method of specifying all classes. 55 56 57 no 58 Is the invalid class, and any event mapped solely to this class 59 will not be audited. Turning auditing on to the all meta class 60 will not cause events mapped solely to the no class to be 61 written to the audit trail. This class is also used to map 62 obsolete events which are no longer generated. Obsolete events 63 are retained to process old audit trails files. 64 65 66 EXAMPLES 67 Example 1 Using an audit_class File 68 69 70 The following is an example of an audit_class file: 71 72 73 0x00000000:no:invalid class 74 0x00000001:fr:file read 75 0x00000002:fw:file write 76 0x00000004:fa:file attribute access 77 0x00000008:fm:file attribute modify 78 0x00000010:fc:file create 79 0x00000020:fd:file delete 80 0x00000040:cl:file close 81 0x00000100:nt:network 82 0x00000200:ip:ipc 83 0x00000400:na:non-attribute 84 0x00001000:lo:login or logout 85 0x00004000:ap:application 86 0x000f0000:ad:old administrative (meta-class) 87 0x00070000:am:administrative (meta-class) 88 0x00010000:ss:change system state 89 0x00020000:as:system-wide administration 90 0x00040000:ua:user administration 91 0x00080000:aa:audit utilization 92 0x00300000:pc:process (meta-class) 93 0x00100000:ps:process start/stop 94 0x00200000:pm:process modify 95 0x02000000:sa:SACL-based File Access Auditing 96 0x20000000:io:ioctl 97 0x40000000:ex:exec 98 0x80000000:ot:other 99 0xffffffff:all:all classes (meta-class) 100 101 102 103 FILES 104 /etc/security/audit_class 105 106 107 108 ATTRIBUTES 109 See attributes(5) for descriptions of the following attributes: 110 111 112 113 114 +---------------------+-----------------+ 115 | ATTRIBUTE TYPE | ATTRIBUTE VALUE | 116 +---------------------+-----------------+ 117 |Interface Stability | See below. | 118 +---------------------+-----------------+ 119 120 121 The file format stability is Committed. The file content is 122 Uncommitted. 123 124 SEE ALSO 125 au_preselect(3BSM), getauclassent(3BSM), audit_event(4), attributes(5) 126 127 NOTES 128 It is possible to deliberately turn on the no class in the kernel, in 129 which case the audit trail will be flooded with records for the audit 130 event AUE_NULL. 131 132 133 134 July 10, 2018 AUDIT_CLASS(4)