Audit Events
Security-relevant system actions can be audited. These auditable actions are defined as audit events. Audit events are listed in the /etc/security/audit_event file. Each auditable event is defined in the file by a symbolic name, an event number, a set of preselection classes, and a short description (see the audit_event(4) man page).
There are several categories of audit events. The primary distinction is between events that are generated by the kernel (called kernel-level events), and events that are generated by applications (called user-level events). Whether the event is generated by the kernel or by a user-level application determines the number range of the event number that identifies the event.
Table 22-2 Audit Event Categories
Number Range | Type of Event | |
|---|---|---|
1-2047 | Kernel-level audit events | |
2048-65535 | User-level audit events | |
| 2048-32767 | Reserved for SunOS user-level programs |
| 32768-65535 | |
Kernel-Level Audit Events
Events that are generated by the kernel (system calls) have event numbers between 1 and 2047. The event names for kernel events begin with AUE_, followed by an uppercase mnemonic for the event. For example, the event number for the creat() system call is 4, and the event name is AUE_CREAT.
User-Level Audit Events
Events that are generated by application software (outside the kernel) range from 2048 to 65535. The event names begin with AUE_, followed by a lowercase mnemonic for the event. For example, the event number for the rlogin command is 6155, and the event name is AUE_rlogin. Table 22-2 shows general categories of user-related events.
Nonattributable Audit Events
Most events are attributable to an individual user, but not all. These events are known as nonattributable events. Events are nonattributable if they occur at the kernel-interrupt level or before a user is identified and authenticated. Nonattributable events are auditable as well. AUE_ENTERPROM (kernel-level event number 153), and AUE_mountd_mount (user-level event number 6156), are examples of nonattributable events. Check the /etc/security/audit_event file for the exact numbers of individual events.
Audit Classes
Each audit event is also defined as belonging to an audit class or classes. By assigning events to classes, you can more easily deal with large numbers of events. When you name a class, you simultaneously address all the events in that class. The mapping of audit events to classes is configurable. These configuration changes can be made in the audit_event file.
Whether an auditable event is recorded in the audit trail depends on whether you preselect a class for auditing that includes the specific event. The are 32 possible audit classes. The classes include the two global classes: all and no. The audit classes are described in Table 25-2.
Audit Flags
Audit flags indicate classes of events to audit. Machine-wide defaults for auditing are specified for all users on each machine by flags in the audit_control file, which is described in "The audit_control File".
You can modify what is audited for individual users by putting audit flags in a user's entry in the audit_user file. The audit flags are also used as arguments to the auditconfig. See the auditconfig(1M) man page.
Audit Records
Each audit record describes the occurrence of a single audited event and includes information such as who did the action, which files were affected, what action was attempted, and where and when the action occurred.
The type of information that is saved for each audit event is defined as a set of audit tokens. Each time an audit record is created for an event, the record contains some or all of the tokens that are defined for it, depending on the nature of the event. You can generate audit record descriptions with the auditlist command. For more information, see "How to Display Audit Record Formats". For a description of the structure of each audit token, see "Audit Token Formats".
Audit records are collected in an audit trail (see the audit.log(4) man page) and can be converted to a readable format by the praudit command (see the praudit(1M) man page). See "The praudit Command" for details.
Audit Directory
An audit directory holds a collection of audit files. Many audit directories are used in a typical installation. The three types of audit directories are as follows:
Primary audit directory - A directory where the audit files for a system are placed under normal conditions.
Secondary audit directory - A directory where the audit files for a system are placed if the primary directory is full or not available.
Directory of last resort - A local audit directory that is used if both the primary audit directory and all secondary audit directories are not available.
Device Allocation
The device-allocation mechanism enables you to restrict use of a device, as well as to erase any leftover data after a device has been used. These actions increase the security of a device. For more information see "Managing Device Allocation" or "Device Allocation Reference".