big-one Wdiff usr/src/man/man4/audit_class.4

Print this page

NEX-13644 File access audit logging
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
Reviewed by: Saso Kiselkov <saso.kiselkov@nexenta.com>
Reviewed by: Rick McNeal <rick.mcneal@nexenta.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>

Split	Close
Expand all
Collapse all

          --- old/usr/src/man/man4/audit_class.4
          +++ new/usr/src/man/man4/audit_class.4
   1    1  '\" te
   2    2  .\" Copyright (c) 2008, Sun Microsystems, Inc.
        3 +.\" Copyright 2018 Nexenta Systems, Inc. All rights reserved.
   3    4  .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
   4    5  .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
   5    6  .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   6      -.TH AUDIT_CLASS 4 "Mar 6, 2017"
        7 +.TH AUDIT_CLASS 4 "Jul 10, 2018"
   7    8  .SH NAME
   8    9  audit_class \- audit class definitions
   9   10  .SH SYNOPSIS
  10   11  .LP
  11   12  .nf
  12   13  \fB/etc/security/audit_class\fR
  13   14  .fi
  14   15  
  15   16  .SH DESCRIPTION
  16   17  .LP

  17   18  \fB/etc/security/audit_class\fR is a user-configurable ASCII system file that
  18   19  stores class definitions used in the audit system. Audit events in
  19   20  \fBaudit_event\fR(4) are mapped to one or more of the defined audit classes.
  20   21  \fBaudit_event\fR can be updated in conjunction with changes to
  21   22  \fBaudit_class\fR.
  22   23  Programs can use the \fBgetauclassent\fR(3BSM) routines to access audit
  23   24  class information.
  24   25  .sp
  25   26  .LP
  26   27  The fields for each class entry are separated by colons. Each class entry is a
  27   28  bitmap and is separated from each other by a newline.
  28   29  .sp
  29   30  .LP
  30   31  Each entry in the \fBaudit_class\fR file has the form:
  31   32  .sp
  32   33  .in +2
  33   34  .nf
  34   35  \fImask\fR:\fIname\fR:\fIdescription\fR
  35   36  .fi
  36   37  .in -2
  37   38  
  38   39  .sp
  39   40  .LP
  40   41  The fields are defined as follows:
  41   42  .sp
  42   43  .ne 2
  43   44  .na
  44   45  \fB\fImask\fR\fR
  45   46  .ad
  46   47  .RS 15n
  47   48  class mask
  48   49  .RE
  49   50  
  50   51  .sp
  51   52  .ne 2
  52   53  .na
  53   54  \fB\fIname\fR\fR
  54   55  .ad
  55   56  .RS 15n
  56   57  class name
  57   58  .RE
  58   59  
  59   60  .sp
  60   61  .ne 2
  61   62  .na
  62   63  \fB\fIdescription\fR\fR
  63   64  .ad
  64   65  .RS 15n
  65   66  class description
  66   67  .RE
  67   68  
  68   69  .sp
  69   70  .LP
  70   71  Each class is represented as a bit in the class mask which is an unsigned
  71   72  integer. Thus, there are 32 different classes available. Meta-classes can also
  72   73  be defined. These are supersets composed of multiple base classes, and thus
  73   74  will have more than 1 bit in its mask. See Examples. Two special meta-classes
  74   75  are also pre-defined: \fBall\fR, and \fBno\fR.
  75   76  .sp
  76   77  .ne 2
  77   78  .na
  78   79  \fB\fBall\fR\fR
  79   80  .ad
  80   81  .RS 7n
  81   82  Represents a conjunction of all allowed classes, and is provided as a shorthand
  82   83  method of specifying all classes.
  83   84  .RE
  84   85  
  85   86  .sp
  86   87  .ne 2
  87   88  .na
  88   89  \fB\fBno\fR\fR
  89   90  .ad
  90   91  .RS 7n
  91   92  Is the invalid class, and any event mapped solely to this class will not be
  92   93  audited. Turning auditing on to the \fBall\fR meta class will not cause events
  93   94  mapped solely to the \fBno\fR class to be written to the audit trail. This
  94   95  class is also used to map obsolete events which are no longer generated.
  95   96  Obsolete events are retained to process old audit trails files.
  96   97  .RE
  97   98  
  98   99  .SH EXAMPLES
  99  100  .LP
 100  101  \fBExample 1 \fRUsing an \fBaudit_class\fR File
 101  102  .sp
 102  103  .LP
 103  104  The following is an example of an \fBaudit_class\fR file:
 104  105  
 105  106  .sp
 106  107  .in +2
 107  108  .nf
 108  109  0x00000000:no:invalid class
 109  110  0x00000001:fr:file read
 110  111  0x00000002:fw:file write
 111  112  0x00000004:fa:file attribute access
 112  113  0x00000008:fm:file attribute modify
 113  114  0x00000010:fc:file create
 114  115  0x00000020:fd:file delete
 115  116  0x00000040:cl:file close
 116  117  0x00000100:nt:network
 117  118  0x00000200:ip:ipc
 118  119  0x00000400:na:non-attribute
 119  120  0x00001000:lo:login or logout

↓ open down ↓

103 lines elided

↑ open up ↑

 120  121  0x00004000:ap:application
 121  122  0x000f0000:ad:old administrative (meta-class)
 122  123  0x00070000:am:administrative (meta-class)
 123  124  0x00010000:ss:change system state
 124  125  0x00020000:as:system-wide administration
 125  126  0x00040000:ua:user administration
 126  127  0x00080000:aa:audit utilization
 127  128  0x00300000:pc:process (meta-class)
 128  129  0x00100000:ps:process start/stop
 129  130  0x00200000:pm:process modify
      131 +0x02000000:sa:SACL-based File Access Auditing
 130  132  0x20000000:io:ioctl
 131  133  0x40000000:ex:exec
 132  134  0x80000000:ot:other
 133  135  0xffffffff:all:all classes (meta-class)
 134  136  .fi
 135  137  .in -2
 136  138  .sp
 137  139  
 138  140  .SH FILES
 139  141  .ne 2

 140  142  .na
 141  143  \fB\fB/etc/security/audit_class\fR\fR
 142  144  .ad
 143  145  .RS 29n
 144  146  
 145  147  .RE
 146  148  
 147  149  .SH ATTRIBUTES
 148  150  .LP
 149  151  See \fBattributes\fR(5) for descriptions of the following attributes:
 150  152  .sp
 151  153  
 152  154  .sp
 153  155  .TS
 154  156  box;
 155  157  c | c
 156  158  l | l .
 157  159  ATTRIBUTE TYPE  ATTRIBUTE VALUE
 158  160  _
 159  161  Interface Stability      See below.
 160  162  .TE
 161  163  
 162  164  .sp
 163  165  .LP
 164  166  The file format stability is Committed. The file content is Uncommitted.
 165  167  .SH SEE ALSO
 166  168  .LP
 167  169  \fBau_preselect\fR(3BSM), \fBgetauclassent\fR(3BSM),
 168  170  \fBaudit_event\fR(4), \fBattributes\fR(5)
 169  171  .SH NOTES
 170  172  .LP
 171  173  It is possible to deliberately turn on the \fBno\fR class in the kernel, in
 172  174  which case the audit trail will be flooded with records for the audit event
 173  175  \fBAUE_NULL\fR.

↓ open down ↓

34 lines elided

↑ open up ↑

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX