Print this page 
NEX-13644 File access audit logging
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
Reviewed by: Saso Kiselkov <saso.kiselkov@nexenta.com>
Reviewed by: Rick McNeal <rick.mcneal@nexenta.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
   1 '\" te
   2 .\" Copyright (c) 2008, Sun Microsystems, Inc.

   3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
   4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
   5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   6 .TH AUDIT_CLASS 4 "Mar 6, 2017"
   7 .SH NAME
   8 audit_class \- audit class definitions
   9 .SH SYNOPSIS
  10 .LP
  11 .nf
  12 \fB/etc/security/audit_class\fR
  13 .fi
  14 
  15 .SH DESCRIPTION
  16 .LP
  17 \fB/etc/security/audit_class\fR is a user-configurable ASCII system file that
  18 stores class definitions used in the audit system. Audit events in
  19 \fBaudit_event\fR(4) are mapped to one or more of the defined audit classes.
  20 \fBaudit_event\fR can be updated in conjunction with changes to
  21 \fBaudit_class\fR.
  22 Programs can use the \fBgetauclassent\fR(3BSM) routines to access audit
  23 class information.
  24 .sp
  25 .LP
  26 The fields for each class entry are separated by colons. Each class entry is a


 110 0x00000002:fw:file write
 111 0x00000004:fa:file attribute access
 112 0x00000008:fm:file attribute modify
 113 0x00000010:fc:file create
 114 0x00000020:fd:file delete
 115 0x00000040:cl:file close
 116 0x00000100:nt:network
 117 0x00000200:ip:ipc
 118 0x00000400:na:non-attribute
 119 0x00001000:lo:login or logout
 120 0x00004000:ap:application
 121 0x000f0000:ad:old administrative (meta-class)
 122 0x00070000:am:administrative (meta-class)
 123 0x00010000:ss:change system state
 124 0x00020000:as:system-wide administration
 125 0x00040000:ua:user administration
 126 0x00080000:aa:audit utilization
 127 0x00300000:pc:process (meta-class)
 128 0x00100000:ps:process start/stop
 129 0x00200000:pm:process modify

 130 0x20000000:io:ioctl
 131 0x40000000:ex:exec
 132 0x80000000:ot:other
 133 0xffffffff:all:all classes (meta-class)
 134 .fi
 135 .in -2
 136 .sp
 137 
 138 .SH FILES
 139 .ne 2
 140 .na
 141 \fB\fB/etc/security/audit_class\fR\fR
 142 .ad
 143 .RS 29n
 144 
 145 .RE
 146 
 147 .SH ATTRIBUTES
 148 .LP
 149 See \fBattributes\fR(5) for descriptions of the following attributes:


   1 '\" te
   2 .\" Copyright (c) 2008, Sun Microsystems, Inc.
   3 .\" Copyright 2018 Nexenta Systems, Inc. All rights reserved.
   4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
   5 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
   6 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   7 .TH AUDIT_CLASS 4 "Jul 10, 2018"
   8 .SH NAME
   9 audit_class \- audit class definitions
  10 .SH SYNOPSIS
  11 .LP
  12 .nf
  13 \fB/etc/security/audit_class\fR
  14 .fi
  15 
  16 .SH DESCRIPTION
  17 .LP
  18 \fB/etc/security/audit_class\fR is a user-configurable ASCII system file that
  19 stores class definitions used in the audit system. Audit events in
  20 \fBaudit_event\fR(4) are mapped to one or more of the defined audit classes.
  21 \fBaudit_event\fR can be updated in conjunction with changes to
  22 \fBaudit_class\fR.
  23 Programs can use the \fBgetauclassent\fR(3BSM) routines to access audit
  24 class information.
  25 .sp
  26 .LP
  27 The fields for each class entry are separated by colons. Each class entry is a


 111 0x00000002:fw:file write
 112 0x00000004:fa:file attribute access
 113 0x00000008:fm:file attribute modify
 114 0x00000010:fc:file create
 115 0x00000020:fd:file delete
 116 0x00000040:cl:file close
 117 0x00000100:nt:network
 118 0x00000200:ip:ipc
 119 0x00000400:na:non-attribute
 120 0x00001000:lo:login or logout
 121 0x00004000:ap:application
 122 0x000f0000:ad:old administrative (meta-class)
 123 0x00070000:am:administrative (meta-class)
 124 0x00010000:ss:change system state
 125 0x00020000:as:system-wide administration
 126 0x00040000:ua:user administration
 127 0x00080000:aa:audit utilization
 128 0x00300000:pc:process (meta-class)
 129 0x00100000:ps:process start/stop
 130 0x00200000:pm:process modify
 131 0x02000000:sa:SACL-based File Access Auditing
 132 0x20000000:io:ioctl
 133 0x40000000:ex:exec
 134 0x80000000:ot:other
 135 0xffffffff:all:all classes (meta-class)
 136 .fi
 137 .in -2
 138 .sp
 139 
 140 .SH FILES
 141 .ne 2
 142 .na
 143 \fB\fB/etc/security/audit_class\fR\fR
 144 .ad
 145 .RS 29n
 146 
 147 .RE
 148 
 149 .SH ATTRIBUTES
 150 .LP
 151 See \fBattributes\fR(5) for descriptions of the following attributes: