0N/A#

1472N/A# Copyright (c) 1992, 2012, Oracle and/or its affiliates. All rights reserved.

0N/A#

0N/A#

0N/A# CDDL HEADER START

0N/A#

0N/A# The contents of this file are subject to the terms of the

0N/A# Common Development and Distribution License (the "License").

0N/A# You may not use this file except in compliance with the License.

0N/A#

0N/A# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE

0N/A# or http://www.opensolaris.org/os/licensing.

0N/A# See the License for the specific language governing permissions

0N/A# and limitations under the License.

0N/A#

0N/A# When distributing Covered Code, include this CDDL HEADER in each

0N/A# file and include the License file at usr/src/OPENSOLARIS.LICENSE.

0N/A# If applicable, add the following below this CDDL HEADER, with the

1472N/A# fields enclosed by brackets "[]" replaced with your own identifying

1472N/A# information: Portions Copyright [yyyy] [name of copyright owner]

1472N/A#

0N/A# CDDL HEADER END

0N/A#

0N/A#

0N/A# Audit Event Class Masks

0N/A#

0N/A# "Meta-classes" can be created; these are supersets composed of multiple base

0N/A# classes, and thus will have more than 1 bit in its mask. See "ad", "all",

0N/A# "am", and "pc" below for examples.

0N/A#

0N/A# The "no" (invalid) class below is commonly (but not exclusively) used in

0N/A# audit_event for obsolete events.

0N/A#

0N/A# The "frcp" class is a reserved name. It will force preselection of

0N/A# any user-land event that is mapped to it. "frcp" is used for events

0N/A# which should always be generated, for example boot messages and

0N/A# events around discontinuity of operation.

0N/A# It must not be renamed. However, the "frcp" value may be changed in a

0N/A# compatible way.

0N/A#

0N/A# The "cusa" meta-class represents a general administrative and system

0N/A# audit group of events particularly recommended to be used with roles.

0N/A# Audit classes covered by "cusa" are: lo, xa, ss, as, ua (am meta-class),

0N/A# ft, ap, ex.

0N/A#

0N/A# Classes matching 0xff00000000000000 are reserved for local site use.

0N/A#

0N/A# File Format:

0N/A#

0N/A# mask:class name:class description

0N/A#

0N/A# Length limits: class name up to 8, class description up to 72 and

# the entire configuration line up to 256 single byte characters.

#

0x0000000000000000:no:invalid class

0x0000000000000001:fr:file read

0x0000000000000002:fw:file write

0x0000000000000004:fa:file attribute access

0x0000000000000008:fm:file attribute modify

0x0000000000000010:fc:file create

0x0000000000000020:fd:file delete

0x0000000000000040:cl:file close

0x0000000000000080:ft:file transfer

0x0000000000000100:nt:network

0x0000000000000200:ip:ipc

0x0000000000000400:na:non-attributed

0x0000000000000800:frcp:forced preselection

0x0000000000001000:lo:login or logout

0x0000000000004000:ap:application

0x0000000000008000:cy:cryptographic

0x0000000000010000:ss:change system state

0x0000000000020000:as:system-wide administration

0x0000000000040000:ua:user administration

0x0000000000070000:am:administrative (meta-class)

0x0000000000080000:aa:audit utilization

0x00000000000f0000:ad:old administrative (meta-class)

0x0000000000100000:ps:process start/stop

0x0000000000200000:pm:process modify

0x0000000000300000:pc:process (meta-class)

0x0000000000400000:xa:X - server access

0x0000000000800000:xp:X - privileged/administrative operations

0x0000000001000000:xc:X - object create/destroy

0x0000000002000000:xs:X - operations that always silently fail, if bad

0x0000000003c00000:xx:X - all X events (meta-class)

0x0000000040000000:io:ioctl

0x0000000080000000:ex:exec

0x0000000080475080:cusa:common user or role activity and sysadmin actions (meta-class)

0x0000000100000000:ot:other

0xffffffffffffffff:all:all classes (meta-class)