NEX-13644 File access audit logging
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
Reviewed by: Saso Kiselkov <saso.kiselkov@nexenta.com>
Reviewed by: Rick McNeal <rick.mcneal@nexenta.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>

          --- old/usr/src/man/man4/audit_class.4.man.txt
          +++ new/usr/src/man/man4/audit_class.4.man.txt

   1    1  AUDIT_CLASS(4)          File Formats and Configurations         AUDIT_CLASS(4)
   2    2  
   3    3  
   4    4  
   5    5  NAME
   6    6         audit_class - audit class definitions
   7    7  
   8    8  SYNOPSIS
   9    9         /etc/security/audit_class
  10   10  
  11   11  
  12   12  DESCRIPTION
  13   13         /etc/security/audit_class is a user-configurable ASCII system file that
  14   14         stores class definitions used in the audit system. Audit events in
  15   15         audit_event(4) are mapped to one or more of the defined audit classes.
  16   16         audit_event can be updated in conjunction with changes to audit_class.
  17   17         Programs can use the getauclassent(3BSM) routines to access audit class
  18   18         information.
  19   19  
  20   20  
  21   21         The fields for each class entry are separated by colons. Each class
  22   22         entry is a bitmap and is separated from each other by a newline.
  23   23  
  24   24  
  25   25         Each entry in the audit_class file has the form:
  26   26  
  27   27           mask:name:description
  28   28  
  29   29  
  30   30  
  31   31         The fields are defined as follows:
  32   32  
  33   33         mask
  34   34                        class mask
  35   35  
  36   36  
  37   37         name
  38   38                        class name
  39   39  
  40   40  
  41   41         description
  42   42                        class description
  43   43  
  44   44  
  45   45  
  46   46         Each class is represented as a bit in the class mask which is an
  47   47         unsigned integer. Thus, there are 32 different classes available. Meta-
  48   48         classes can also be defined. These are supersets composed of multiple
  49   49         base classes, and thus will have more than 1 bit in its mask. See
  50   50         Examples. Two special meta-classes are also pre-defined: all, and no.
  51   51  
  52   52         all
  53   53                Represents a conjunction of all allowed classes, and is provided
  54   54                as a shorthand method of specifying all classes.
  55   55  
  56   56  
  57   57         no
  58   58                Is the invalid class, and any event mapped solely to this class
  59   59                will not be audited. Turning auditing on to the all meta class
  60   60                will not cause events mapped solely to the no class to be
  61   61                written to the audit trail. This class is also used to map
  62   62                obsolete events which are no longer generated.  Obsolete events
  63   63                are retained to process old audit trails files.
  64   64  
  65   65  
  66   66  EXAMPLES
  67   67         Example 1 Using an audit_class File
  68   68  
  69   69  
  70   70         The following is an example of an audit_class file:
  71   71  
  72   72  
  73   73           0x00000000:no:invalid class
  74   74           0x00000001:fr:file read
  75   75           0x00000002:fw:file write
  76   76           0x00000004:fa:file attribute access
  77   77           0x00000008:fm:file attribute modify
  78   78           0x00000010:fc:file create
  79   79           0x00000020:fd:file delete
  80   80           0x00000040:cl:file close
  81   81           0x00000100:nt:network
  82   82           0x00000200:ip:ipc
  83   83           0x00000400:na:non-attribute
  84   84           0x00001000:lo:login or logout

  85   85           0x00004000:ap:application
  86   86           0x000f0000:ad:old administrative (meta-class)
  87   87           0x00070000:am:administrative (meta-class)
  88   88           0x00010000:ss:change system state
  89   89           0x00020000:as:system-wide administration
  90   90           0x00040000:ua:user administration
  91   91           0x00080000:aa:audit utilization
  92   92           0x00300000:pc:process (meta-class)
  93   93           0x00100000:ps:process start/stop
  94   94           0x00200000:pm:process modify
       95 +         0x02000000:sa:SACL-based File Access Auditing
  95   96           0x20000000:io:ioctl
  96   97           0x40000000:ex:exec
  97   98           0x80000000:ot:other
  98   99           0xffffffff:all:all classes (meta-class)
  99  100  
 100  101  
 101  102  
 102  103  FILES
 103  104         /etc/security/audit_class
 104  105  

 105  106  
 106  107  
 107  108  ATTRIBUTES
 108  109         See attributes(5) for descriptions of the following attributes:
 109  110  
 110  111  
 111  112  
 112  113  
 113  114         +---------------------+-----------------+
 114  115         |   ATTRIBUTE TYPE    | ATTRIBUTE VALUE |
 115  116         +---------------------+-----------------+
 116  117         |Interface Stability  |  See below.     |
 117  118         +---------------------+-----------------+
 118  119  
 119  120  
 120  121         The file format stability is Committed. The file content is
 121  122         Uncommitted.
 122  123  

 123  124  SEE ALSO
 124  125         au_preselect(3BSM), getauclassent(3BSM), audit_event(4), attributes(5)
 125  126  
 126  127  NOTES
 127  128         It is possible to deliberately turn on the no class in the kernel, in
 128  129         which case the audit trail will be flooded with records for the audit
 129  130         event AUE_NULL.
 130  131  
 131  132  
 132  133  
 133      -                                 March 6, 2017                  AUDIT_CLASS(4)
      134 +                                 July 10, 2018                  AUDIT_CLASS(4)
    

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX