Event classes
An event class is a name given to a collection of event types.
An event class will allow you to refer
to a related group of events with a single name.
For example, the event class
file_make
contains the events
create,
link,
mk_node,
sym_create,
and
unlink,
which are all the events related to file creation or deletion.
Event classes may be used as input to the
auditset
and
auditrpt
commands.
Event classes are defined in the
/etc/security/audit/classes
file.
The following is an entry from this file:
alias file_make
create link mk_node sym_create unlink
Each line begins with the word
alias,
followed by the event class name and then by a
list of the events that comprise that class.
There should be a space between the events listed for the class.
A newline ends the list.
The entries are similar to those in a
.mailrc
file.
Site-specific event classes may be added to the
/etc/security/audit/classes
file.
You may edit the file with any standard editor,
but do not delete the predefined event classes.
There is no limit to the number of event classes that can be defined.
It is important to note that not all event types are contained in the
predefined event classes.
The following are the predefined event classes:
acct-
includes the
acct_off,
acct_sw,
and
acct_on
events.
audit-
contains the
audit_buf,
audit_ctl,
audit_dmp,
audit_evt,
audit_log,
and
audit_map
events.
All the events in this class are fixed.
bind_lwp-
contains the
lwp_bind
and
lwp_unbind
events.
cov_chan-
contains the
cov_chan1,
cov_chan2,
cov_chan3,
cov_chan4,
cov_chan5,
cov_chan6,
cov_chan7,
and
cov_chan8,
events.
dac-
contains the
dac_mode,
dac_own_grp,
file_acct,
and
ipc_acl
events.
device-
contains the
mount,
and
umount
events.
dir_access-
contains the
access,
chg_dir,
chg_root,
chg_times,
status,
and
sym_status
events.
dir_make-
contains the
link,
mk_dir,
mk_mld,
rm_dir,
sym_create,
and
unlink
events.
file_access-
contains the
access,
chg_times,
open_rd,
open_wr,
status,
and
sym_status
events.
file_attr-
contains the
add_grp,
add_usr,
add_usr_grp,
mod_grp,
and
mod_usr
events.
All the events in this class are fixed.
file_make-
contains the
create,
link,
mk_node,
sym_create,
and
unlink
events.
id_auth-
contains the
bad_auth,
bad_lvl,
cron,
def_lvl,
login,
and
passwd
events.
io_cntl-
contains the
fcntl
and
iocntl
events.
module-
contains the
modadm,
modload,
modpath,
and
moduload
events.
msg-
contains the
msg_ctl,
msg_get,
and
msg_op
events.
path-
contains the
chg_dir
and
chg_root
events.
printer-
contains the
cancel_job,
lp_admin,
lp_misc,
page_lvl,
prt_job,
prt_lvl,
and
trunc_lvl
events.
priv-
contains the
file_priv
and
pm_denied
events.
process-
contains the
exec,
exit,
fork,
kill,
set_gid,
set_grps,
set_pgrps,
set_sid,
and
set_uid
events.
res_limit-
contains the
setrlimit
and
ulimit
events.
sched-
contains the
sched_lk,
sched_rt,
sched_fp,
sched_fc,
and
sched_ts
events.
sem-
contains the
sem_ctl,
sem_get,
and
sem_op
events.
shm-
contains the
shm_ctl,
shm_get,
and
shm_op
events.
sym_link-
contains the
sym_create
and
sym_status
events.
use_lwp-
contains the
lwp_create,
lwp_exit,
and
lwp_kill
events.
Next topic:
Deciding which events to audit
Previous topic:
Processor state events
© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005