svcadm(8)을 검색하려면 섹션에서 8 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
audit_event(5)
audit_event(5) File Formats audit_event(5)
NAME
audit_event - audit event definition and class mapping
SYNOPSIS
/etc/security/audit_event
DESCRIPTION
/etc/security/audit_event is a user-configurable ASCII system file that
stores event definitions used in the audit system. As part of this def‐
inition, each event is mapped to one or more of the audit classes
defined in audit_class(5). See auditconfig(8) and user_attr(5) for
information about changing the preselection of audit classes in the
audit system.
The fields for each event entry are separated by colons. Each event is
separated from the next by a NEWLINE. Each entry in the audit_event
file has the form:
event-number:event-name:event-description:event-classes
The fields are defined as follows:
event-number
Event number. Ranges for event number are assigned as follows:
0
Reserved as an invalid event number.
1-2047
Reserved for the Solaris Kernel events. The kernel event table,
and possibly MAX_KEVENTS, must be updated in audit_kevents.h
when changes are made to kernel events. Allocation of Solaris
Kernel events:
0 The kernel event table must start with AUE_NULL
1-511 Allocated for Solaris
512-2047 Reserved but not allocated
2048-65535
Allocated for user level audit events. Allocation of user level
audit events:
2048-5999 Reserved but not allocated
6000-9999 Allocated for Solaris
10000-32767 Reserved but not allocated
32768-65535 Available for third party applications
event-name
Event name.
event-description
Event description.
event-classes
Specifies classes to which the event is mapped. Classes are comma
separated, without spaces and may be added for any event other than
those with the no class.
Obsolete events are commonly assigned to the special class no
(invalid) to indicate they are no longer generated. Obsolete events
are retained to process old audit trail files. Other events which
are not obsolete may also be assigned to the no class.
EXAMPLES
Example 1 Using the audit_event File
The following is an example of some audit_event file entries:
7:AUE_EXEC:exec(2):ps,ex
79:AUE_OPEN_WTC:open(2) - write,creat,trunc:fc,fd,fw
6152:AUE_login:login - local:lo
6153:AUE_logout:logout:lo
6154:AUE_telnet:login - telnet:lo
6155:AUE_rlogin:login - rlogin:lo
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Interface StabilitySee below.
The file format stability is Committed. The file content is Uncommit‐
ted.
FILES
/etc/security/audit_event
SEE ALSO
audit_class(5), user_attr(5), auditconfig(8)
NOTES
This functionality is available only if Solaris Auditing has been
enabled.
For changes to this file to be effective immediately, refresh svc:/sys‐
tem/auditset:default. For example:
# svcadm refresh svc:/system/auditset:default
Third party developers wishing to use the audit interfaces must contact
the Solaris Audit team through their Oracle representative.
Oracle Solaris 11.4 27 Nov 2017 audit_event(5)