Audit classes and events

Each trusted program must determine the audit class, audit event type, and reason that it uses when it issues audit messages using the auditlog system call.

Each audit event belongs to an audit class. By assigning events into classes, you can more effectively deal with a large numbers of events. Audit class definitions are defined in the /etc/security/audit/config file.

The audit class is used to enable and disable the recording of events. If it is important for two events to be separately enabled, these events should not be in the same audit class. However, it is generally a good practice to group events into classes. Normally, each trusted program or set of related trusted programs will reserve one audit class name (or in rare case, a few audit class names) for its own use.

The system actions that are auditable are defined as audit events in the /etc/security/audit/events file.