DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 
Auditable events

Event classes

An event class is a name given to a collection of event types. An event class will allow you to refer to a related group of events with a single name. For example, the event class file_make contains the events create, link, mk_node, sym_create, and unlink, which are all the events related to file creation or deletion. Event classes may be used as input to the auditset and auditrpt commands.

Event classes are defined in the /etc/security/audit/classes file. The following is an entry from this file:

   alias file_make
   	create link mk_node sym_create unlink
Each line begins with the word alias, followed by the event class name and then by a list of the events that comprise that class. There should be a space between the events listed for the class. A newline ends the list. The entries are similar to those in a .mailrc file.

Site-specific event classes may be added to the /etc/security/audit/classes file. You may edit the file with any standard editor, but do not delete the predefined event classes. There is no limit to the number of event classes that can be defined. It is important to note that not all event types are contained in the predefined event classes. The following are the predefined event classes:


acct
includes the acct_off, acct_sw, and acct_on events.

audit
contains the audit_buf, audit_ctl, audit_dmp, audit_evt, audit_log, and audit_map events. All the events in this class are fixed.

bind_lwp
contains the lwp_bind and lwp_unbind events.

cov_chan
contains the cov_chan1, cov_chan2, cov_chan3, cov_chan4, cov_chan5, cov_chan6, cov_chan7, and cov_chan8, events.

dac
contains the dac_mode, dac_own_grp, file_acct, and ipc_acl events.

device
contains the mount, and umount events.

dir_access
contains the access, chg_dir, chg_root, chg_times, status, and sym_status events.

dir_make
contains the link, mk_dir, mk_mld, rm_dir, sym_create, and unlink events.

file_access
contains the access, chg_times, open_rd, open_wr, status, and sym_status events.

file_attr
contains the add_grp, add_usr, add_usr_grp, mod_grp, and mod_usr events. All the events in this class are fixed.

file_make
contains the create, link, mk_node, sym_create, and unlink events.

id_auth
contains the bad_auth, bad_lvl, cron, def_lvl, login, and passwd events.

io_cntl
contains the fcntl and iocntl events.

module
contains the modadm, modload, modpath, and moduload events.

msg
contains the msg_ctl, msg_get, and msg_op events.

path
contains the chg_dir and chg_root events.

printer
contains the cancel_job, lp_admin, lp_misc, page_lvl, prt_job, prt_lvl, and trunc_lvl events.

priv
contains the file_priv and pm_denied events.

process
contains the exec, exit, fork, kill, set_gid, set_grps, set_pgrps, set_sid, and set_uid events.

res_limit
contains the setrlimit and ulimit events.

sched
contains the sched_lk, sched_rt, sched_fp, sched_fc, and sched_ts events.

sem
contains the sem_ctl, sem_get, and sem_op events.

shm
contains the shm_ctl, shm_get, and shm_op events.

sym_link
contains the sym_create and sym_status events.

use_lwp
contains the lwp_create, lwp_exit, and lwp_kill events.

Next topic: Deciding which events to audit
Previous topic: Processor state events

© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005