'\" te .\" Copyright (c) 2008, 2013, Oracle and/or its affiliates. All rights reserved. .TH audit_event 4 "23 Jan 2012" "SunOS 5.11" "File Formats" .SH NAME audit_event \- audit event definition and class mapping .SH SYNOPSIS .LP .nf \fB/etc/security/audit_event\fR .fi .SH DESCRIPTION .sp .LP \fB/etc/security/audit_event\fR is a user-configurable ASCII system file that stores event definitions used in the audit system. As part of this definition, each event is mapped to one or more of the audit classes defined in \fBaudit_class\fR(4). See \fBauditconfig\fR(1M) and \fBuser_attr\fR(4) for information about changing the preselection of audit classes in the audit system. .sp .LP The fields for each event entry are separated by colons. Each event is separated from the next by a NEWLINE. Each entry in the \fBaudit_event\fR file has the form: .sp .in +2 .nf \fInumber\fR:\fIname\fR:\fIdescription\fR:\fIflags\fR .fi .in -2 .sp .LP The fields are defined as follows: .sp .ne 2 .mk .na \fB\fInumber\fR\fR .ad .RS 15n .rt Event number. .sp Event number ranges are assigned as follows: .sp .ne 2 .mk .na \fB\fB0\fR\fR .ad .RS 15n .rt Reserved as an invalid event number. .RE .sp .ne 2 .mk .na \fB\fB1-2047\fR\fR .ad .RS 15n .rt Reserved for the Solaris Kernel events. .RE .sp .ne 2 .mk .na \fB\fB2048-32767\fR\fR .ad .RS 15n .rt Reserved for the Solaris TCB programs. .RE .sp .ne 2 .mk .na \fB\fB32768-65535\fR\fR .ad .RS 15n .rt Available for third party TCB applications. .sp System administrators must \fBnot\fR add, delete, or modify (except to change the class mapping), events with an event number less than \fB32768\fR. These events are reserved by the system. .RE .RE .sp .ne 2 .mk .na \fB\fIname\fR\fR .ad .RS 15n .rt Event name. .RE .sp .ne 2 .mk .na \fB\fIdescription\fR\fR .ad .RS 15n .rt Event description. .RE .sp .ne 2 .mk .na \fB\fIflags\fR\fR .ad .RS 15n .rt Flags specifying classes to which the event is mapped. Classes are comma separated, without spaces. .sp Obsolete events are commonly assigned to the special class \fBno\fR (invalid) to indicate they are no longer generated. Obsolete events are retained to process old audit trail files. Other events which are not obsolete may also be assigned to the \fBno\fR class. .RE .SH EXAMPLES .LP \fBExample 1 \fRUsing the \fBaudit_event\fR File .sp .LP The following is an example of some \fBaudit_event\fR file entries: .sp .in +2 .nf 7:AUE_EXEC:exec(2):ps,ex 79:AUE_OPEN_WTC:open(2) - write,creat,trunc:fc,fd,fw 6152:AUE_login:login - local:lo 6153:AUE_logout:logout:lo 6154:AUE_telnet:login - telnet:lo 6155:AUE_rlogin:login - rlogin:lo .fi .in -2 .sp .SH ATTRIBUTES .sp .LP See \fBattributes\fR(5) for descriptions of the following attributes: .sp .sp .TS tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) . ATTRIBUTE TYPEATTRIBUTE VALUE _ Interface Stability See below. .TE .sp .LP The file format stability is Committed. The file content is Uncommitted. .SH FILES .sp .LP \fB/etc/security/audit_event\fR .SH SEE ALSO .sp .LP \fBauditconfig\fR(1M), \fBaudit_class\fR(4), \fBuser_attr\fR(4) .sp .LP \fIManaging Auditing in Oracle Solaris 11.3\fR .SH NOTES .sp .LP This functionality is available only if Solaris Auditing has been enabled.