|
|
Selectable events are only recorded if they have been selected for auditing. Recording all selectable events provides the highest potential level of security; however, it generally makes the log file grow very rapidly. Through the use of the user-level commands auditset, usermod, and useradd, you can select events specific to your needs.
There are two event keywords, all and none, that enable you to audit every selectable event or none, respectively. When setting the system-wide event mask or a user event mask, the keyword all implies all fixed and selectable events will be recorded, and the keyword none implies only fixed events will be recorded.
The remaining subsections discuss all the selectable events, grouped by functional areas. Information on each event is presented in table format. The tables include the event, a brief description of the event, the name of the command or system call that triggers the event, and an indication if the event may be used for object level auditing.