'\" te
.\" Copyright (c) 2008, 2000, Oracle and/or its affiliates. All rights reserved. 
.TH audit_class 4 "23 Jan 2012" "SunOS 5.11" "File Formats"
.SH NAME
audit_class \- audit class definitions
.SH SYNOPSIS
.LP
.nf
\fB/etc/security/audit_class\fR
.fi

.SH DESCRIPTION
.sp
.LP
\fB/etc/security/audit_class\fR is an administrator configurable system file that stores class definitions used in the audit system. Audit events in \fBaudit_event\fR(4) are mapped to one or more of the defined audit classes. \fBaudit_event\fR can be updated in conjunction with changes to \fBaudit_class\fR. See \fBauditconfig\fR(1M) and \fBuser_attr\fR(4) for information about changing the preselection of audit classes in the audit system.
.sp
.LP
The fields for each class entry are separated by colons. Each class entry is a bitmap and is separated from each other by a NEWLINE.
.sp
.LP
Each entry in the \fBaudit_class\fR file has the form:
.sp
.in +2
.nf
\fImask\fR:\fIname\fR:\fIdescription\fR
.fi
.in -2

.sp
.LP
The fields are defined as follows:
.sp
.ne 2
.mk
.na
\fB\fImask\fR\fR
.ad
.RS 15n
.rt  
class mask
.RE

.sp
.ne 2
.mk
.na
\fB\fIname\fR\fR
.ad
.RS 15n
.rt  
class name
.RE

.sp
.ne 2
.mk
.na
\fB\fIdescription\fR\fR
.ad
.RS 15n
.rt  
class description
.RE

.sp
.LP
Each class is represented as a bit in the 64 bit class mask. There are 64 different classes available. Meta-classes can also be defined. Meta-classes are supersets composed of multiple base classes, and have more than 1 bit in smask. See \fBEXAMPLES\fR. 
.sp
.LP
Two  special meta-classes are pre-defined: \fBall\fR and \fBno\fR.
.sp
.ne 2
.mk
.na
\fB\fBall\fR\fR
.ad
.RS 7n
.rt  
Represents a conjunction of all allowed classes, and is provided as a shorthand method of specifying all classes.
.RE

.sp
.ne 2
.mk
.na
\fB\fBno\fR\fR
.ad
.RS 7n
.rt  
Is the invalid class, and any event mapped solely to this class are not audited. Turning auditing on to the \fBall\fR meta-class does not cause events mapped solely to the \fBno\fR class to be written to the audit trail. This class is also used to map obsolete events which are no longer generated. Obsolete events are retained to process old audit trails files.
.RE

.sp
.LP
The mask positions \fB0xff00000000000000\fR are reserved for local site use.
.SH EXAMPLES
.LP
\fBExample 1 \fRUsing an \fBaudit_class\fR File
.sp
.LP
The following is an example of an \fBaudit_class\fR file:

.sp
.in +2
.nf
0x0000000000000000:no:invalid class
0x0000000000000001:fr:file read
0x0000000000000002:fw:file write
0x0000000000000004:fa:file attribute access
0x0000000000000008:fm:file attribute modify
0x0000000000000010:fc:file create
0x0000000000000020:fd:file delete
0x0000000000000040:cl:file close
0x0000000000000080:ft:file transfer
0x0000000000000100:nt:network
0x0000000000000200:ip:ipc
0x0000000000000400:na:non-attribute
0x0000000000001000:lo:login or logout
0x0000000000004000:ap:application
0x00000000000f0000:ad:old administrative (meta-class)
0x0000000000070000:am:administrative (meta-class)
0x0000000000010000:ss:change system state
0x0000000000020000:as:system-wide administration
0x0000000000040000:ua:user administration
0x0000000000080000:aa:audit utilization
0x0000000000300000:pc:process (meta-class)
0x0000000000100000:ps:process start/stop
0x0000000000200000:pm:process modify
0x0000000020000000:io:ioctl
0x0000000040000000:ex:exec
0x0000000080000000:ot:other
0xffffffffffffffff:all:all classes (meta-class)
.fi
.in -2
.sp

.SH FILES
.sp
.LP
\fB/etc/security/audit_class\fR
.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp

.sp
.TS
tab() box;
cw(2.75i) |cw(2.75i) 
lw(2.75i) |lw(2.75i) 
.
ATTRIBUTE TYPEATTRIBUTE VALUE
_
Interface Stability  See below.
.TE

.sp
.LP
The file format stability is Committed. The file content is Uncommitted.
.SH SEE ALSO
.sp
.LP
\fBauditconfig\fR(1M), \fBaudit_event\fR(4), \fBuser_attr\fR(4), \fBattributes\fR(5)
.sp
.LP
\fIManaging Auditing in Oracle Solaris 11.3\fR
.SH NOTES
.sp
.LP
Redefining the \fBno\fR class to have a \fBnon-zero\fR value can have undesirable side effects.