audit_class.txt revision 45916cd2fec6e79bca5dee0421bd39e3c2910d1e
#
# Copyright 2006 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
# ident "%Z%%M% %I% %E% SMI"
#
# User Level Class Masks
#
# Developers: If you change this file you must also edit audit.h.
#
# "Meta-classes" can be created; these are supersets composed of multiple base
# classes, and thus will have more than 1 bit in its mask. See "ad", "all",
# "am", and "pc" below for examples.
#
# The "no" (invalid) class below is commonly (but not exclusively) used in
# audit_event for obsolete events.
#
#
# File Format:
#
# mask:name:description
#
0x00000000:no:invalid class
0x00000001:fr:file read
0x00000002:fw:file write
0x00000004:fa:file attribute access
0x00000008:fm:file attribute modify
0x00000010:fc:file create
0x00000020:fd:file delete
0x00000040:cl:file close
0x00000100:nt:network
0x00000200:ip:ipc
0x00000400:na:non-attribute
0x00001000:lo:login or logout
0x00004000:ap:application
0x00010000:ss:change system state
0x00020000:as:system-wide administration
0x00040000:ua:user administration
0x00070000:am:administrative (meta-class)
0x00080000:aa:audit utilization
0x000f0000:ad:old administrative (meta-class)
0x00100000:ps:process start/stop
0x00200000:pm:process modify
0x00300000:pc:process (meta-class)
#
# The following four masks define X server related audit classes which
# are applicable to Trusted Extensions. X server audit events are mapped
# to these classes per the following criteria:
#
# xp : Protocols audited for use of privilege (successful or otherwise).
# E.g., ChangeWindowAttributes is audited when issued by a client to
# change attributes of another client's window. This class also includes
# any administrative protocols (e.g. SetAccessControl).
# xc : Server objects creation/destruction; e.g., CreateWindow.
# xs : Protocols that do not return X error messages to clients on failure for
# lack for security attributes. E.g., GetImage does not return BadWindow
# error if it cannot read from a window for lack of privilege. It just
# does not read from that window.
# These events should be selected for audit on success only. Selecting
# them for failure will cause a lot of noise in the audit trail.
# xx : All above X classes.
#
0x00400000:xp:X - privileged/administrative operations
0x00800000:xc:X - object create/destroy
0x01000000:xs:X - operations that always silently fail, if bad
0x01c00000:xx:X - all X events (meta-class)
#
0x20000000:io:ioctl
0x40000000:ex:exec
0x80000000:ot:other
0xffffffff:all:all classes (meta-class)