AUDIT_CLASS(4)AUDIT_CLASS(4)NAMEaudit_class - audit class definitions
/etc/security/audit_class is a user-configurable ASCII system file that
stores class definitions used in the audit system. Audit events in
audit_event(4) are mapped to one or more of the defined audit classes.
audit_event can be updated in conjunction with changes to audit_class.
See audit_control(4) and audit_user(4) for information about changing
the preselection of audit classes in the audit system. Programs can use
the getauclassent(3BSM) routines to access audit class information.
The fields for each class entry are separated by colons. Each class
entry is a bitmap and is separated from each other by a newline.
Each entry in the audit_class file has the form:
The fields are defined as follows:
Each class is represented as a bit in the class mask which is an
unsigned integer. Thus, there are 32 different classes available. Meta-
classes can also be defined. These are supersets composed of multiple
base classes, and thus will have more than 1 bit in its mask. See Exam‐
ples. Two special meta-classes are also pre-defined: all, and no.
Represents a conjunction of all allowed classes, and is provided
as a shorthand method of specifying all classes.
Is the invalid class, and any event mapped solely to this class
will not be audited. Turning auditing on to the all meta class
will not cause events mapped solely to the no class to be writ‐
ten to the audit trail. This class is also used to map obsolete
events which are no longer generated. Obsolete events are
retained to process old audit trails files.
Example 1 Using an audit_class File
The following is an example of an audit_class file:
0x00000004:fa:file attribute access
0x00000008:fm:file attribute modify
0x00001000:lo:login or logout
0x000f0000:ad:old administrative (meta-class)
0x00010000:ss:change system state
0xffffffff:all:all classes (meta-class)
See attributes(5) for descriptions of the following attributes:
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
│Interface Stability │ See below. │
The file format stability is Committed. The file content is Uncommit‐
SEE ALSObsmconv(1M), au_preselect(3BSM), getauclassent(3BSM), audit_control(4),
audit_event(4), audit_user(4), attributes(5)
Part VII, Solaris Auditing, in System Administration Guide: Security
It is possible to deliberately turn on the no class in the kernel, in
which case the audit trail will be flooded with records for the audit
This functionality is available only if Solaris Auditing has been
enabled. See bsmconv(1M) for more information.
Jun 26, 2008 AUDIT_CLASS(4)